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Abstract 

Recently, the problem of privacy amplification with an active adversary has received a lot 
of attention. Given a shared n-bit weak random source X with min-entropy k and a security 
parameter s, the main goal is to construct an explicit 2-round privacy amplification protocol 
that achieves entropy loss O(s). Dodis and Wichs [DW09] showed that optimal protocols can 
be achieved by constructing explicit non-malleable extractors. However, the best known explicit 
non-malleable extractor only achieves k = 0.49n [Lif2b] and evidence in [Lif2b] suggests that 
constructing explicit non-malleable extractors for smaller min-entropy may be hard. In an 
alternative approach, Li [Lil2a] introduced the notion of a non- malleable condenser and showed 
that explicit non-malleable condensers also give optimal privacy amplification protocols. 

In this paper, we give the first construction of non-malleable condensers for arbitrary min- 
entropy. Using our construction, we obtain a 2-round privacy amplification protocol with optimal 
entropy loss for security parameter up to s = Q(y/k). This is the first protocol that simultane- 
ously achieves optimal round complexity and optimal entropy loss for arbitrary min-entropy k. 
We also generalize this result to obtain a protocol that runs in 0{s/\fk) rounds with optimal 
entropy loss, for security parameter up to s = Q(k). This significantly improves the protocol in 
[CKOR10]. Finally, we give a better non-malleable condenser for linear min-entropy, and in this 
case obtain a 2-round protocol with optimal entropy loss for security parameter up to s = Sl(fc), 
which improves the entropy loss and communication complexity of the protocol in [Lil2b]. 
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1 Introduction 



Modern cryptographic applications rely heavily on the use of randomness. Indeed, without true 
randomness some basic tasks such as bit commitment and encryption would become impossible. 
However, most of these applications require uniform random bits, yet real world random sources are 
rarely uniformly distributed. In addition, even initially uniform secret keys could be damaged by side 
channel attacks of an adversary. Naturally, the random sources we can use become imperfect, and it 
is therefore important to study how to run cryptographic applications using imperfect randomness. 

In this general context, Bennett, Brassard, and Robert [BBR88] introduced the basic cryp- 
tographic question of privacy amplification. Consider the simple model where two parties (Alice 
and Bob) share an n-bit secret key X, which is weakly random. They also share a public channel 
which is monitored by an adversary Eve, and have access to local (non-shared) uniform private 
random bits. The goal now is for Alice and Bob to communicate over the channel to transform X 
into a nearly uniform secret key, so that Eve has negligible information about it. To measure the 
randomness in X, we use the standard min-entropy. 

Definition 1.1. The min-entropy of a random variable X is 

H 00 (X)= min Iog 2 (l/Pr[X = x]). 

a;6supp(X) 

For X 6 {0, l} n , we call X an (n, i?oo(X))-source, and we say X has entropy rate H OQ (X)/n. 

We assume the adversary Eve has unlimited computational power. If Eve is passive, then this 
problem can be solved by using a well-studied combinatorial object called "strong extractor". 

Notation. We let [s] denote the set {1, 2, . . . , s}. For I a positive integer, Ue denotes the uniform 
distribution on {0, 1}^, and for S a set, Us denotes the uniform distribution on S. When used as 
a component in a vector, each Ue or Us is assumed independent of the other components. We say 
W ~ e Z if the random variables W and Z have distributions which are e-close in variation distance. 

Definition 1.2. A function Ext : {0, l} n x {0, l} d — > {0, l} m is a strong (k,e)- extractor if for every 
source X with min-entropy k and independent Y which is uniform on {0, l} d , 

(Ext(X,y),Y) ~s (U m ,Y). 

Once we have a strong extractor, we can have Alice sample a fresh random string Y and send 
it to Bob. They then both compute Ext(X, Y). Since Eve only sees Y, the property of the strong 
extractor guarantees that the output is close to uniform even given this information. However, if 
Eve is active, then the problem becomes much harder and the above simple solution fails. In this 
case, there has been a lot of effort in trying to achieve optimal parameters [MW97, DKRS06, DW09, 
RW03, KR09, CKOR10, DLWZ11, CRS12, Lil2a, Lil2b]. More specifically, [MW97] gave the first 
non-trivial protocol which takes one-round and works when the entropy rate of X is bigger than 
2/3. [DKRS06] later improved this to work for entropy rate bigger than 1/2, yet both these results 
suffer from the drawback that the final secret key R is significantly shorter than the min-entropy of 
X. [DW09] showed that it is impossible to construct one-round protocol for entropy rate less than 
1/2. The first protocol which works for entropy rate below 1/2 appeared in [RW03], which was 
simplified by [KR09] and shown to run in O(s) rounds and achieve entropy loss 0(s 2 ), where s is 
the security parameter of the protocol (A protocol has security parameter s if Eve cannot predict 
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with advantage more than 2~ s over random. When Eve is active, we also require that Eve cannot 
make Alice and Bob output different secrets and not abort with probability more than 2~ s ). 

[DW09] improved the number of rounds to 2 but the entropy loss remains 0(s 2 ). [CKOR10] 
improved the entropy loss to O(s) but the number of rounds blows up to O(s). The natural open 
question is therefore whether there is a 2-round protocol with entropy loss O(s). In the special case 
where the entropy rate is bigger than 1/2, [DLWZ11, CRS12, Lil2a] gave 2-round protocols with 
entropy loss O(s). For any constant < 5 < 1, [DLWZ11] also gave a protocol for k = 5n that 
runs in poly (1/5) rounds with entropy loss poly(l/<5)s = O(s). Recently, [Lil2b] gave an improved 
protocol for k = 5n that runs in 2 rounds and achieves optimal entropy loss 2 poly ( 1//|5 ),s = O(s). 

In [DW09] , Dodis and Wichs introduced the notion of a "non-malleable extractor" and showed 
that such an object can be used to construct 2-round privacy amplification protocols with optimal 
entropy loss. 

Definition 1.3. 1 A function nmExt : {0, 1}" x {0, l} d -»• {0, l} m is a (k, e) -non-malleable extractor 
if, for any source X with H 00 (X) > k and any function A : {0, l} d — > {0, l} d such that A(y) / y 
for all y, the following holds. When Y is chosen uniformly from {0, l} d and independent of X, 

(nmExtpf, Y), nmExt(A, A(Y)), Y) » e {U rn , nmExt(A, A{Y)),Y). 

Dodis and Wichs showed that non-malleable extractors exist when k > 2m+31og(l/e)+logd-|-9 
and d > log(n— /c+l)+2 log(l/e)+7. However, they only constructed weaker forms of non-malleable 
extractors. The first explicit construction of non-malleable extractors appears in [DLWZ11], which 
works for entropy k > n/2. Later, various improvements appear in [CRS12, Lil2a, DY12]. However, 
the entropy requirement remains k > n/2. Recently, Li [Lil2b] gave the first explicit non-malleable 
extractor that breaks this barrier, which works for k = (1/2 — S)n for some constant 5 > 0. 
[Lil2b] also showed a connection between non-malleable extractors and two-source extractors, which 
suggests that constructing explicit non-malleable extractors for smaller entropy may be hard. 

Given the above background, an alternative approach seems promising. This is the notion of 
a non-malleable condenser introduced in [Lil2a]. While a non-malleable extractor requires the 
output to be close to uniform, a non-malleable condenser only requires the output to have enough 
min-entropy. 

Definition 1.4. [Lil2b] A (k,k',e) non-malleable condenser is a function nmCond : {0,1}™ x 
{0, l} d — > {0, l} m such that given any (n, /c)-source X, an independent uniform seed Y € {0, l} d , 
and any (deterministic) function A : {0, l} d — > {0, l} d such that \/y,A(y) ^ y, we have that with 
probability 1 — e over the fixing of Y = y, 

Pr [nmCond(X, y)| n mCond(x A(v))=z' is e — close to an (m,k') source] > 1 — e. 

z'<-nmCond(X,.4(2/)) ' y " 

As can be seen from the definition, a non-malleable condenser is a strict relaxation of a non- 
malleable extractor. In [Lil2a], Li showed that non-malleable condensers can also be used to 
construct 2-round privacy amplification protocols with optimal entropy loss. Thus one can hope to 
construct explicit non-malleable condensers for smaller min-entropy. 

1 Following [DLWZ11], we define worst case non-malleable extractors, which is slightly different from the original 
definition of average case non-malleable extractors in [DW09] . However, the two definitions are essentially equivalent 
up to a small change of parameters. 
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1.1 Our results 



In this paper, we indeed succeed in the above approach. We construct explicit non-malleable 
condensers for essentially any min-entropy. Our first theorem is as follows. 

Theorem 1.5. There exists a constant C > such that for any n, k £ N and s > with k > 
C(logn + s) 2 , there is an explicit (k, s,2~ s ) -non-malleable condenser with seed length 
d = 0(logn + s) 2 and output length m = 0(logn + s) 2 . 

Combining this theorem with the protocol in [Lil2a], we immediately obtain a 2-round privacy 
amplification protocol with optimal entropy loss for any security parameter up to This is the 

first explicit protocol that simultaneously achieves optimal parameters in both round complexity 
and entropy loss, for arbitrary min-entropy. 

Theorem 1.6. There exists a constant C such that for any e > with k > C(logn + log(l/e)) 2 , 
there exists an explicit 2-round privacy amplification protocol for (n, k) sources with security param- 
eter log(l / 'e) , entropy loss 0(logn + log(l/e)) and communication complexity 0(log n + log(l/e)) 2 . 

We note that except the protocol in [CKORIO], all previous results that work for arbitrary 
min-entropy k only achieve security parameter up to s = £l(y/k~) like our protocol and all of them 
have entropy loss 0(s 2 ). In this paper, we finally manage to reduce the entropy loss to O(s). Thus, 
for this range of security parameter, ignoring the communication complexity, we essentially obtain 
optimal privacy amplification protocols. 

For the special case where k = 5n for some constant < 5 < 1, we can do better. Here we have 
the following theorem. 

Theorem 1.7. For any constant < 5 < 1 and k = 5n there exists a constant C = 2 poly ( 1 / <5 * ) such 
that given any < s < k/C , there is an explicit (k, s, 2~ s ) -non-malleable condenser with seed length 
d = poly(l/£)(log n + s) and output length m = 2 poly ( 1 /' 5 ) (log n + s). 

Combined with the protocol in [Lil2a], this theorem yields: 

Theorem 1.8. There exists an absolute constant Cq > 1 such that for any constant < 5 < 1 
and k = 5n there exists a constant C\ = 2 poly ( 1 / 5 ) such that given any e > with C\ log(l/e) < k, 
there exists an explicit 2-round privacy amplification protocol for (n, k) sources with security param- 
eter log(l/e), entropy loss Co(log n + log(l/e)) and communication complexity poly(l/5)(log n + 
log(l/e)). 

Note that for security parameter s, the 2-round protocol for k = 5n in [Lil2b] has entropy loss 
2P ol y( 1 / 5 )s and communication complexity 2 poly ( 1 /' 5 ) s. Here, we improve the entropy loss to Cos for 
an absolute constant Co > 1 and the communication complexity to poly(l/<5)s. 

Finally, one can ask what if for arbitrary min-entropy k, we want to achieve security parameter 
bigger than \^k, as in [CKORIO]. Using our techniques combined with some techniques from 
[CKORIO], we obtain the following theorem. 

Theorem 1.9. There exists a constant C > 1 such that for any n, k G N with k > log 4 n and any e > 
with k > C(log(l/e)) there exists an explicit 0((logn + log(l/e))/v / ^) round privacy amplification 
protocol for (n,k) sources with security parameter log(l/e), entropy loss 0(logn + log(l/e)) and 
communication complexity 0((logn + log(l/e))v / fc)- 
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Thus, we can essentially achieve security parameter up to s = Q(k) with optimal entropy loss, 
at the price of increasing the number of rounds to 0(s/V~k). Note that the protocol in [CKOR10], 
though also achieving optimal entropy loss, runs in Q(s) rounds. Thus our protocol improves their 
round complexity by a \fk factor. For large k this is a huge improvement, especially in practice. 

Table 1 summarizes our results compared to some previous results, assuming the security pa- 
rameter is s. 



Construction 


Entropy of W 


Security parameter 


Rounds 


Entropy loss 


Optimal, non-explicit 


k > logn 


s < n(k) 


2 


0(s + logn) 


[MW97] 


k > 2n/3 


s = 0(k) 


1 


(n — k) 


[DKRS06] 


k > n/2 


s = @(k) 


1 


(n — k) 


[RW03, KR09] 


k > polylog(n) 


s < n(v%) 


0(s + logn) 


G((s + logn) 2 ) 


[DW09] 


k > polylog(n) 


s < n(Vk) 


2 


9((s + logn) 2 ) 


[CKOR10] 


k > polylog(n) 


s < n(k) 


0(s + logn) 


0(s + logn) 


[DLWZ11] 


k > 6n 


s < fc/poly(l/<5) 


poly(l/5) 


poly(l/5)(s + log n) 


[Lil2b] 


k > 5n 


s < k/2 pol yW s '> 


2 


2P°iy(V*J( s + logn) 


This work 


k > polylog(n) 


s < n(Vk) 


2 


@(s + logn) 


This work 


k > polylog(n) 


s < n(k) 


e((s + logn)/ v / fc) 


Q(s + logn) 


This work 


k > 5n 


s < k/2 pol yW 6 '> 


2 


0(s + logn) 



Table 1: Summary of Results on Privacy Amplification with an Active Adversary 



2 Overview of The Constructions and Techniques 

Here we give an informal overview of our constructions and the technique used. To give a clear 
description, we shall be imprecise sometimes. 

2.1 Non-malleable condenser for arbitrary min-entropy 

For an (n, k) source X, our non-malleable condenser uses a uniform seed Y = (Y\, Y2), where Y% has 
a bigger size than Y\, say |Yi| = d and | Y2I = lOd. Consider now any function A(Y) = Y' = {Y^Y^). 
In the following we will use letters with prime to denote variables produced with Y' . Since Y 1 7^ Y, 
we have two cases: Yi = Y[ or Y\ 7^ Y{. The output of our non-malleable condenser will be 
Z = nmCond(X, Y) = (Vi, V2). Intuitively, V\ handles the case where Yi = Y[ and V2 handles the 
case where Y\ ^ Y[. We now describe the two cases separately. 

If Y\ = Y{, then we take a strong extractor Ext and compute W = Ext(X, Yi). Note that 
W = W since Y\ = Y{. Note Y' 7^ Y, thus we must have Y 2 ' 7^ Y2. We now fix Y\ (and Y{) and 
conditioned on this fixing, W = W' is still (close to) uniform and now Y 2 is a deterministic function 
of Y2. At this point, we can take any non-malleable extractor nmExt from [DLWZ11, CRS12, Lil2a] 
and compute V\ = nmExt(VF, Y2). Since W is uniform, by the property of the non-malleable 
extractor we have that V\ is (close to) uniform even conditioned on the fixing of V( and (Y2, Y 2 '). 
Now let the size of V\ be bigger than the size of V2, say | V\\ > {Vzl+s. Thus the further conditioning 
on the fixing of V 2 ' will still leave V\ with entropy roughly s. This takes care of our first case. 

If Y\ 7^ Y(, then we first fix (Yx,Y{). Note that fixing Y[ may cause Y2 to lose entropy. However, 
since \Y%\ = 10|Yi|, conditioned on this fixing Y2 still has entropy rate roughly 9/10, and now Y 2 ' 
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is a deterministic function of Yi. We further fix W' , which is now a deterministic function of X. 
As long as the entropy of X is larger than the size of W, conditioned on this fixing X still has a 
lot of entropy. Note that after these fixings X and Y2 are still independent. Now, we use X and Y2 
to perform an alternating extraction protocol. Specifically, take the first 3d bits of Y2 to be Sq, we 
compute the following random variables: Ro = Raz(iSo, X), S\ = Ext(Y"2> Rq),Ri = Ext(X, Si), S2 = 
Ext(F 2 ,i?i),i? 2 = Ext(X, S 2 ), • • • ,St = Ext(Y 2 ,Rt-i),R t = Ext(X,S t ). Here Raz is the two source 
extractor in [Raz05], which works as long as the first source has entropy rate > 1/2, and Ext is 
a strong extractor. We take t = Ad and let each Ri output s bits. Note that in the first step So 
roughly has entropy rate 2/3, thus we need to use the two-source extractor Raz. In all subsequent 
steps Si, Ri are (close to) uniform, thus it suffices to use a strong extractor. 

In the above alternating extraction protocol, as long as the size of each (Sj,i?j) is relatively 
small, one can show that for any i, Ri is (close to) uniform conditioned on {Rj,R'j,j < 1} and 
(Y2jY^) (recall {R'j} are the random variables produced by Y^ instead of Y2). Next, we borrow 
some ideas from [DW09] . Specifically, there they showed an efficient map / from a string with d bits 
to a subset of [Ad], such that for any fi G {0, l} d , \f(^)\ = 2d. Moreover, for any \i ^ //, there exists 
a j G [Ad] such that |/(/u)- J | > 1/ (/t/)-- 7 1, where /(/i)-- 7 denotes the subset of /(//) which contains 
all the elements > j. Now, let R = (R\, ■ ■ ■ ,Rt), we define a "look-ahead" MAC laMAC such that 
for any ji G {0, l} d , laMAC/j^) = {-R;} ie /( M ). Now our V 2 is computed as V 2 = laMAQj(Yi). Note 
that since we have fixed (Y\, Y[), we can now view them as two different strings in {0, l} d . Thus, 
there exists a j G [Ad] such that \f(Yi)- J \ > \f(Y{) - J '|. Now let R be the concatenation of those 
R^s in V2 with i > j and R! be the corresponding variable for V 2 \ then the size of R is bigger than 
the size of R' by at least s. Moreover, R is (close to) uniform conditioned on the fixing of {R[, i < j} 
and (125^2')- Thus R roughly has entropy s even conditioned on the fixing of R' , {R' i7 i < j} and 
(Y^;^)' which also determines V 2 '- Since we have fixed W' before, V[ is also fixed. Thus we have 
that Z has entropy roughly s even conditioned on the fixing of Z' and (Y2, Y^)- This takes care of 
our second case. 

Thus, we obtain a non-malleable condenser for any min-entropy. However, since in the alter- 
nating extraction protocol each Ri outputs s bits, and we need d = £l(s) to achieve error 2~ s , the 
entropy of X has to be larger than Ads = Q(s 2 ). Thus we can only achieve s up to £l(yfk). 

2.2 Privacy amplification protocol 

Combined with the techniques in [Lil2b], our non-malleable condenser immediately gives a 2- 
round privacy amplification protocol with optimal entropy loss for any min-entropy, with security 
parameter s up to ^(^/k). To better illustrate the key idea, we also give a slightly simpler 2-round 
protocol with optimal entropy loss, without using the non-malleable condenser. Assuming the 
security parameter we want to achieve is s, we now describe the protocol. 

In the first round, Alice samples 3 random strings (Fi,!^^) from her private random bits 
and sends them to Bob, where Bob receives (Y{, Y 2 '> F$)- Assume that |Yi| = d, II2I = Wd, \Y^\ = 
50d. Take a strong extractor Ext and Alice and Bob each computes R\ = Ext(X,Y\) and R\ = 
Ext(X,Y{) respectively. Ri,R[ each has 4s bits. Next, Alice and Bob each uses (X, Y2) and 
{X, Y2) to perform the alternating extraction protocol we described above, where they compute 
i?2 = (R2i,-" >^2i) and R' 2 = (R^i^"' >^2t) respectively, with t = Ad. Using R2 and R' 2 , they 
compute Z = laMAC^Yi) and Z' = laMAC^Y/) respectively. 

In the second round, Bob samples a random string W' from his private random bits and sends it 
to Alice, where Alice receives W. Together with W' , Bob also sends two tags (T^T^), where Alice 
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receives (T\,T2). For T{, Bob takes the two-source extractor Raz and computes T[ = Raz(Y 3 ',Z / ). 
Let T[ output s bits. For Bob takes a standard message authentication code (MAC) and 
computes T' 2 = MAC^/ (W), using R' x as the key. Bob then computes Rb = Ext(X, W) as the final 
output. Alice will check whether T\ = Raz(l3,Z) and T2 = MAC^iW). If either test fails, Alice 
rejects. Otherwise Alice computes Ra = Ext(X, W) as the final output. 

As before, the analysis can be divided into two cases: Y\ = Y[ and Y\ ^ Y(. In the first case, 
we have -Ri = and is (close to) uniform and private. Thus R\ can be used in the MAC to 
authenticate W' to Alice. Although T[ may give some information about R\, note that R\ has size 
4s and T[ has size s. Thus even conditioned on T{, R\ has entropy roughly 3s. We note that the 
MAC works as long as the entropy rate of R± is bigger than 1/2. Thus in this case Bob can indeed 
authenticate W 1 to Alice and they will agree on a uniform and private final output. 

In the second case, again we can first fix (Yi,Y[) and R[. As before we have that after this 
fixing, Y2 still has entropy rate roughly 9/10, X still has a lot of entropy, and X is independent 
of (Y2,Ys). Now we can view (Y\,Y{) as two different strings and by the same analysis before, 
Z roughly has entropy s conditioned on the fixing of Z' and (Y2, Y^')- Note that after this fixing 
I3 still has entropy rate > 1/2, and I3 is a deterministic function of Y3. Since Raz is a strong 
two-source extractor, we have that Raz(l3, Z) is (close to) uniform conditioned on (Y$, Z' , R[, W), 
which determines {T[,T^). Thus, in this case Alice will reject with probability 1 — 2~ s , since the 
probability that Eve guesses Raz(Y3, Z) correctly is at most 2~ s . 

We note that our protocol shares some similarities with the protocol in [DW09] , as they both use 
the alternating extraction protocol and the "look- ahead" MAC. However, there is one important 
difference. The protocol in [DW09] uses the look-ahead MAC to authenticate the string W' that 
Bob sends to Alice in the second round. The look-ahead MAC has size J7(s 2 ) and is revealed in the 
second round, which causes an entropy loss of 0(s 2 ). Our protocol, on the other hand, uses the 
look-ahead MAC to authenticate the string Y\ that Alice sends to Bob in the first round. Although 
in the protocol we do compute some variables that have size tt(s 2 ) (namely (Z,Z')), they arc 
computed locally by Alice and Bob, and are never revealed in the protocol to Eve. Instead, what 
is revealed to Eve is T[ = Raz(Y3', Z'), which only has size O(s). In other words, in the case where 
Y\ 7^ Y(, since we know that Z has entropy s conditioned on Z' , we can apply another extractor 
Raz to Z and Z' respectively, such that the resulting variable T[ only has size O(s) and Raz(Y3, Z) 
is (close to) uniform conditioned on T{. This brings the entropy loss down to O(s). 

One might think that the same trick can also be applied to the protocol in [DW09]. However, 
this is not the case. The reason is that conditioned on (Y,Y r ), all the random variables in our 
protocol that are used to authenticate W are (R\, T±, R[, T{), which are deterministic functions of 
X and have size O(s). Thus in the case where Bob successfully authenticates W to Alice, we can 
fix them and conditioned on the fixing, X and W are still independent. This results in a protocol 
with optimal entropy loss. In the protocol in [DW09], conditioned on (Y,Y'), the random variables 
that are used to authenticate W include the output of the look- ahead extractor, which has size 
Q(s 2 ). Thus conditioning on this random variable will cause X to lose entropy 0(s 2 ). On the other 
hand, we cannot simply apply another extractor to this MAC to reduce the output size, since then 
the output will be a function of W and X, and thus conditioned on the fixing of it W and X will 
no longer be independent. 

We now describe our protocol for security parameter s > yk. The very high level strategy is 
as follows. At the beginning of the protocol, Alice samples a random string Y from her private 
random bits with d\ = O(s) bits and sends it to Bob, where Bob receives Y'. They each compute 
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R = Ext(X, Y) and R' = Ext(X, Y') respectively, by using a strong extractor Ext. At the end 
of the protocol, Bob samples a random string W' from his private random bits with d± bits and 
sends it to Alice, together with a tag T = MACfj/(W). Alice receives (W,T). Bob will compute 
R B = Ext(X,W') as his final output and Alice will check if T = MACr(W). If the test fails then 
Alice rejects. Otherwise she will compute Ra = Ext(X,W) as her final output. In the case where 
Y = Y' , again we will have that R = R' and is uniform and private. Thus in this case Bob can 
authenticate W to Alice by using a MAC and R' as the key. We will now modify the protocol to 
ensure that if Y 7^ Y' , then with probability 1 — 2~ s either Alice or Bob will reject. 

If s < \fk then we can use our 2-round protocol described above. However, we want to achieve 
s > Vk and X does not have enough entropy for the 2-round protocol. On the other hand, we 
note that we can still use the 2-round protocol to send a substring of Y with s' = £l(y/k) bits to 
Bob, such that if Eve changes this string, then with probability 1 — 2~ s Alice will reject. The key 
observation now is that after running this 2-round protocol, conditioned on the transcript, X only 
loses O(s') entropy. Thus X still has entropy k — 0{s/k) in Eve's view. Therefore, we can run the 
2-round protocol again, using fresh random strings sampled from Alice's private random bits. This 
will send another substring of Y with s' = bits to Bob. As long as X has enough entropy, 

we can keep doing this and it will take us O(sfVk) rounds to send the entire Y to Bob, while the 
entropy loss is 0(s')0(s/Vk) = O(s). Thus as long as k > Cs for a sufficiently large constant C, 
the above approach will work. 

However, the simple idea described above is not enough. The reason is that to change Y, Eve 
only needs to change one substring, and she can succeed with probability 2~ s >> 2~ s . To fix 
this, we modify the protocol to ensure that, if Eve changes Y to Y' 7^ Y, then she has to change 
fl(s/y/k) substrings, i.e., a constant fraction of the substrings. This is where we borrow some ideas 
from [CKOR10]. Specifically, instead of having Alice just send substrings of Y to Bob, we will use 
an asymptotically good code for edit errors and have Alice send substrings of the encoding of Y 
to Bob. More specifically, let M = Edit(y) be the encoding of Y, which has size 0(di). At the 
beginning of the protocol, Alice will send Y to Bob, where Bob receives Y' . Next, our protocol 
will run in L = 0(s/y/k) phases, with each phase consisting of two rounds. In phase i, Alice will 
send the i'th substring Mj of M to Bob, where Mj has di = Q(y/k) bits. In the first round of 
phase i, Alice samples two random strings (lj2> Y3) from her private random bits and sends them 
to Bob, together with Mj. Bob receives (M-, Y/ 2 , Y/ 3 ). We will let 1 1^3 1 > 10|Yj2|. As in the previous 
2-round protocol, Alice will use X and Yj2 to perform an alternating extraction protocol, where 
she computes Ri = (Rn,--- , Ra) with t = 4c?2 and Z{ = IrMAC^ (Mj). Correspondingly, Bob 
will compute R[ and Z[ = IrMAC^/ (M^), using X and Y( 2 . In the second round, Bob will send 
T- = Raz(y/ 3 , Z'j) to Alice, where Alice receives Tj. Alice will now check if Tj = Raz(lj3, Zj) and she 
rejects if the test fails. By the same analysis of the 2-round protocol, if Eve changes the substring 
Mj to M[ / M, then with probability 1 - 2~ n ^ Alice will reject. 

To synchronize between Alice and Bob, in the second round of phase i, we will also have Bob 
sample a fresh random string W[ and send it as a challenge to Alice, together with T[. Alice receives 
(Wi,Ti). Now if Alice does not reject, then she will also compute a response Vj = Ext(A", Wi) and 
send it back to Bob in the first round of phase i + 1. Bob will receive V- and then check if 
V- = Ext(X,W[). If the test fails then he rejects. Otherwise he proceeds as before. At the end 
of the protocol, Bob will first check if the received codeword M 1 = M[ o ■ ■ ■ o M' L is indeed equal 
to Edit(y'). If the test fails he rejects. Otherwise he proceeds as before. This gives our whole 
protocol. 
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For the analysis, by the property of the code, if Eve wants to change M = Edit(Y) to M' = 
Edit(y') with Y' 7^ Y, then she has to make Cl(di) edit operations (insertion, deletion or altering). 
Since changing one substring costs at most \fh edit operations, Eve has to change at least tl(s/y/k) 
substrings. We then show that as long as X has an extra entropy of O(s), for a constant fraction 
of these changes, conditioned on the event that Eve has successfully made all previous changes, 
the probability that Eve can make this change successfully is at most 2~ n (^\ Thus the overall 
probability that Eve can change M to M' without causing either Alice or Bob to reject is at most 
£2-n(vE))n(«/Vfc) = 2~ n ( s \ The round complexity is 0(s/V~k) and the communication complexity 
is since in each phase, the communication complexity is 0(k). 

2.3 Non-malleable condenser for linear min-entropy 

Our non-malleable condenser for linear min-entropy is similar to the construction for arbitrary 
min-entropy, except we use a different alternating extraction protocol, namely that in [Lil2b]. 
Specifically, we will again use a seed Y = (Y\,Y2), where |Yi| = d and II2I > lOcZ. The output will 
also be Z = (14, l^)- F° r an y function A(Y) = Y' = (Y^Y^), we still have two cases: Y\ = Y( or 
Yi + Y[. 

If Y\ = Y(, then again we take a strong extractor Ext and compute W = Ext(X, Y\) and 
14 = nmExt(W, Y2). As long as |14| > |1^| + s, this takes care of our first case. 

If Y\ 7^ Y(, then again we first fix (Yi,Y{) and W. Conditioned on this fixing Y<i still has 
entropy rate roughly 9/10, and now Y 2 ' is a deterministic function of Y2. Moreover X still has 
a lot of entropy and is independent of Y%. Now we use the alternating extraction protocol in 
[Lil2b]. More specifically, since X has min-entropy k = 5n we can apply a somewhere condenser 
in [BKS+05, Raz05, Zuc07] to X and obtain X = (X 1 , ■ ■ ■ ,X C ) with C = poly(l/£) such that at 
least one Xi has entropy rate 0.9. In [Lil2b], Li showed that as long as k > 2 poly ( 1 / 5 )s, one can use 
X, X ,Y\,Y2 to perform an alternating extraction protocol and obtain V2 with size 

2 Poly(l/5) S; guch 

that when Y\ 7= Y[, V2 roughly has entropy s conditioned on the fixing of V 2 ' and (Y2, Y^). Since 
we have fixed (Y\, Y() and W before, this means that Z roughly has entropy s conditioned on the 
fixing of Z' and (Y,Y'). 

Combined with the protocol in [Lil2a], we thus reduce the entropy loss of the protocol in [Lil2b] 
to O(s) for an absolute constant O(-) and the communication complexity to poly(l/5)s. 

Organization. After some preliminaries, we give the formal definition of the privacy amplification 
problem in section 4. We define alternating extraction in section 5. We give our non-malleable 
condenser for arbitrary min-entropy in section 6, and the general privacy amplification protocol in 
section 7. In section 8 we give our non-malleable condenser for linear min-entropy. We conclude 
with some open problems in section 9. 

3 Preliminaries 

We often use capital letters for random variables and corresponding small letters for their instan- 
tiations. Let \S\ denote the cardinality of the set S. All logarithms are to the base 2. 



S 



3.1 Probability distributions 



Definition 3.1 (statistical distance). Let W and Z be two distributions on a set S. Their statistical 
distance (variation distance) is 

A(W, Z) d = f wsf\W(T) - Z(T)\) = \Y. \ W ( s ) ~ Z ^)V 

We say W is e-close to Z, denoted W ~ £ Z, if A(W, Z) < e. For a distribution D on a set S 
and a function /i : 5 1 — > T, let /i(-D) denote the distribution on T induced by choosing x according 
to D and outputting h(x). 

3.2 Somewhere Random Sources, Extractors and Condensers 

Definition 3.2 (Somewhere Random sources). A source X = (X±, ■ ■ ■ ,Xt) is (t x r) somewhere- 
random (SR-source for short) if each X\ takes values in {0, l} r and there is an i such that X{ is 
uniformly distributed. 

Definition 3.3. An elementary somewhere-k-source is a vector of sources (X\, ■ ■ ■ ,Xt), such that 
some Xi is a /c-source. A somewhere A;-source is a convex combination of elementary somewhere-k- 
sources. 

Definition 3.4. A function C : {0, l} n x {0, l} d -> {0, l} m is a (k — > /, e)-condenser if for every 
fe-source X, C(X, Ud) is e-close to some Z-source. When convenient, we call C a rate-(fc/n — )■ l/m, e)- 
condenser. 

Definition 3.5. A function C : {0, l} n x {0, l} d -> {0, l} m is a (fc — )• I, e)-somewhere-condenser 
if for every fc-source X, the vector (C(X,y) ye ^ 01 yd) is e-close to a somewhere-Z-source. When 
convenient, we call C a rate-(fc/n — > Z/m, e)-somewhere-condenser. 

Definition 3.6. A function TExt : {0, l} ni x {0, l} n2 — > {0, l} m is a strong two source extractor 
for min-entropy fei, Z«2 and error e if for every independent (ni, fei) source X and (n2, /C2) source Y, 

\(JExt(X,Y),X)-(U m ,X)\ <e 

and 

|(TExt(x,y),y)-(c/ m ,y)| <e, 

where U m is the uniform distribution on m bits independent of (X, Y). 



3.3 Average conditional min-entropy 

Dodis and Wichs originally defined non-malleable extractors with respect to average conditional 
min-entropy, a notion defined by Dodis, Ostrovsky, Reyzin, and Smith [DORS08]. 



Definition 3.7. The average conditional min-entropy is defined as 



log E 



-w 



maxPr[A 

X 



x\W 



w\ 



log(E^ [ 2 -"~W=»)]) 
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Average conditional min-entropy tends to be useful for cryptographic applications. By taking 
W to be the empty string, we see that average conditional min-entropy is at least as strong as 
min-entropy. In fact, the two are essentially equivalent, up to a small loss in parameters. 

We have the following lemmas. 

Lemma 3.8 ([DORS08]). For any s > 0, Pr tu ^ H /[i? 00 (X|Ty = w) > H^^W) - s] > 1 - 2~ s . 

Lemma 3.9 ([DORS08]). If a random variable B has at most 2 £ possible values, then H^AlB) > 
H O0 {A)-L 

To clarify which notion of min-entropy and non-malleable extractor we mean, we use the term 
worst-case non-malleable extractor when we refer to our Definition 1.3, which is with respect to 
traditional (worst-case) min-entropy, and average-case non-malleable extractor to refer to he original 
definition of Dodis and Wichs, which is with respect to average conditional min-entropy. 

Corollary 3.10. A (k,e)- average- case non-malleable extractor is a (k,e) -worst- case non-malleable 
extractor. For any s > 0, a (k,e) -worst-case non-malleable extractor is a (k + s,e + 2~ s )-average- 
case non-malleable extractor. 

Throughout the rest of our paper, when we say non-malleable extractor, we refer to the worst- 
case non-malleable extractor of Definition 1.3. 

3.4 Prerequisites from previous work 

One-time message authentication codes (MACs) use a shared random key to authenticate a message 
in the information-theoretic setting. 

Definition 3.11. A function family {MAC R : {0,l} d -> {0, l} 1 '} is a e-secure one-time MAC for 
messages of length d with tags of length v if for any w G {0, l} d and any function (adversary) 
A:{0,iy ^{0,l} d x{0,ir, 

Pr[MAC fl (W") = T' A W' + w I (W',T') = A(MAC R (w))\ < e, 
R 

where R is the uniform distribution over the key space {0, 1} . 

Theorem 3.12 ([KR09]). For any message length d and tag length v, there exists an efficient 
family of (\^~\2~ v ) -secure MACs with key length i = 2v. In particular, this MAC is e-secure when 
v = logd + log(l/e). 

More generally, this MAC also enjoys the following security guarantee, even if Eve has partial 
information E about its key R. Let (R, E) be any joint distribution. Then, for all attackers A\ and 
A 2 , 

Pr [MAC R (W) = T' A W + W \ W = A^E), 

(R,E) 

(W',T') = A 2 (MAC R (W),E)} < 
(In the special case when R = U2 V and independent of E, we get the original bound.) 



2 v-H 00 (R\E) 
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Remark 3.13. Note that the above theorem indicates that the MAC works even if the key R has 
average conditional min-entropy rate > 1/2. 

Sometimes it is convenient to talk about average case seeded extractors, where the source X has 
average conditional min-entropy H OQ (X\Z) > k and the output of the extractor should be uniform 
given Z as well. The following lemma is proved in [DORS08]. 

Lemma 3.14. [DORS08] For any 5 > 0, i/Ext is a (k, e) extractor then it is also a (fc+log(l/<5), e+ 
S) average case extractor. 

Theorem 3.15 ([BKS + 05, Raz05, Zuc07]). For any constant f3, S > 0, there is an efficient family 
of rate-(5 — > 1 — /3, e = 2~ n ^) -somewhere condensers Cond : {0, 1}" — > ({0, l} m ) D where D = 0(1) 
and m = Q(n). 

For a strong seeded extractor with optimal parameters, we use the following extractor con- 
structed in [GUV09]. 

Theorem 3.16 ([GUV09]). For every constant a > 0, and all positive integers n,k and any e > 0, 
there is an explicit construction of a strong (k,e)- extractor Ext : {0,1}™ x {0, l} d — > {0, l} m with 
d = 0(logn + log(l/e)) and m > (1 — a)k. It is also a strong (k,e) average case extractor with 
m > (1 — a)k — 0(logn + log(l/e)). 

We need the following construction of strong two-source extractors in [Raz05] . 

Theorem 3.17 ([Raz05]). For any n±, n2, k±, k2, m and any < 5 < 1/2 with 

• ni > 61ogni + 21og?i2 

• k\ > (0.5 + S)n\ + 3 log n\ + log n2 

• k 2 > 51og(ni - ki) 

• m < 5min[ni/8, /C2/40] — 1 

There is a polynomial time computable strong 2-source extractor Raz : {0, l} ni x {0, l} n2 — > 
{0, l} m for min-entropy ki, k 2 with error 2 ■° m . 

Theorem 3.18. [DLWZ11, CRS12, Lil2a] For every constant 5 > 0, there exists a constant (3 > 
such that for every n, k £ N with k > (1/2 + S)n and e > 2~ l3n there exists an explicit (k,e) 
non-malleable extractor with seed length d = Oilogn + loge" 1 ) and output length m = Jl(n). 

The following standard lemma about conditional min-entropy is implicit in [NZ96] and explicit 



Lemma 3.19 ([MW97]). Let X and Y be random variables and lety denote the range ofY . Then 
for all e > 0, one has 



in [MW97]. 



Pr #oo(X|Y =y)> H^X) - log \y\ - log - > 1 




— e. 



We also need the following lemma. 
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Lemma 3.20. Let (X,Y) be a joint distribution such that X has range X and Y has range y. 
Assume that there is another random variable X' with the same range as X such that \X — X'\ = e. 
Then there exists a joint distribution (X',Y) such that \(X,Y) — (X' ,Y)\ = e 

Proof. First let (X" ,Y) be the same probability distribution as (X, Y). For any x G X, let p" x = 
PrLY" = x] and p' x = Pr[Y' = x). For any y G y, let p y = Pr[Y = y]. Let p" xy = PrLY" = x, Y = y]. 
Let W = {x G X : p" x > p' x } and V = {x G X : p" x < p' x }. Thus we have that Ylx&w \p"x ~ Px\ = 
Sxey \Px ~ Px\ e - 

We now gradually change the probability distribution X" into X' , while keeping the distribution 
Y the same, as follows. While W is not empty or V is not empty, do the following. 

1. Pick x G W U V such that \p x - p' x \ = min{\p x - p' x \, x G W U V}. 

2. If £ £ W, we decrease Pr[Y" = x] to p' x . Let r = p" x — p' x . To ensure this is still a probability 
distribution, we also pick any x G V and increase Pr[Y" = x] to Pr[X" = x) + r. To 
do this, we pick the elements y £ y one by one in an arbitrary order and while r > 0, 
do the following. Let r' = min(p xy ,T), Pv[X" = x,Y = y] = PrpT" = x,Y = y] — r', 
Pr[X" = x, Y = y] = Pr[X" = x, Y = y] + r' and r = r - r'. We then update the sets {p x } 
and {p xy \ accordingly. Note that since p" x = r + p' x > r, this process will indeed end when 
t = and now PrLY" = x] = p' x . Note that after this change we still have that p'£ < p x . Also, 
for any y G y the probability Pr[Y = y] remains unchanged. Finally, remove x from W and 
if p'£ = p x , remove x from V. 

3. If x G V, we increase PrLY" = x] to p' x . Let t = p' x — p x . To ensure that X" is still a 
probability distribution, we also pick any x G W and decrease Pr[Y"" = x] to PrLY" = x] — r. 
To do this, we pick the elements y £ y one by one in an arbitrary order and while r > 0, 
do the following. Let r' = min(p'^, y ,T), PrLY" = x,Y = y] = PrLY" = x, Y = y] + r', 
PrLY" = x, y = y] = Pr[Y" = x, y = y] - r' and r = r - r'. We then update the sets {p x } 
and {p xy } accordingly. Note that since p% > r + p x , this process will indeed end when r = 
and we still have p" x >Px- Also, for any y G y the probability Pr[Y = y] remains unchanged. 
Finally, remove x from V and if p'£ = p x , remove x from W. 

Note that in each iteration, at least one element will be removed from VFuy. Thus the iteration 
will end after finite steps. When it ends, we have that Vx,Pr[x" = x] = p' x , thus X" = X' . Since 
in each step the probability Pr[Y = y] remains unchanged, the distribution Y remains the same. 
Finally, it is clear from the algorithm that |(Y", Y) — (Y, Y)\ = e. □ 

Next we have the following lemma. 

Lemma 3.21. Let X and Y be random variables and let y denote the range ofY. Assume that 
X is e-close to having min-entropy k. Then for any e 1 > 



Pr 

Y 



(Y|y = y) is e-close to a source with min-entropy k — log \y\ — log 



> 1 



Proof. Let X denote the range of X. Assume that X' is a distribution on X with min-entropy k 
such that | X — X'\ < e. Then by lemma 3.20, there exists a joint distribution (Y', Y) such that 
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\(X,Y)-(X',Y)\<e. 

Now for any y G y, let A y = ^2 X&X \ Pr[X = x,Y = y] — Pr[X' = x,Y = y]\. Then we have 

yey 

For any y G y, the statistical distance between X\Y = y and X'\Y = y is 

^ = X)I Pr I x = x \ Y = y\- Fv i x ' = x \ Y = y\\ 

= (£\Pt[X = x,Y = y}- Pt[X' = x,Y = y]\)/(Pv[Y = y\) = A y /Pr[Y = y). 

Thus if 5 y > e' then A y > e' Pr\Y = y]. Let By = {y ■ S y > e'} then we have 

e'Pr[y£B Y ]= ^ e' Pr[Y = y] < ^ A, < ^ A, < e. 

y eB Y y£B Y yey 

Thus Pr[y G B Y ] < jr. Note that when y £ B y we have |X|Y = y - X'\Y = y\ < e'. Thus by 
Lemma 3.19 we have the statement of the lemma. □ 

4 Privacy Amplification with an Active Adversary 

In this section we formally define the privacy amplification problem. We will follow [DLWZ11] and 
define a privacy amplification protocol (Pa, Pb)- The protocol is executed by two parties Alice and 
Bob, who share a secret X G {0, l} n . An active, computationally unbounded adversary Eve might 
have some partial information E about X satisfying H 00 (X\E) ^ k. Since Eve is unbounded, we 
can assume without loss of generality that she is deterministic. 

We assume that Eve has full control of the communication channel between the two parties. 
This means that Eve can arbitrarily insert, delete, reorder or modify messages sent by Alice and 
Bob to each other. In particular, Eve's strategy Pe defines two correlated executions (Pa, Pe) and 
(Pe,Pb) between Alice and Eve, and Eve and Bob, called "left execution" and "right execution", 
respectively. Alice and Bob are assumed to have fresh, private and independent random bits Y 
and W, respectively. Y and W are not known to Eve. In the protocol we use 1 as a special 
symbol to indicate rejection. At the end of the left execution (Pa(X, Y), Pe(E)), Alice outputs a 
key R A G {0, l} m U {_L}. Similarly, Bob outputs a key R B G {0, l} m U {_L} at the end of the right 
execution (Pe(E), Pb(X,W)). We let E' denote the final view of Eve, which includes E and the 
communication transcripts of both executions (Pa(X, Y), Pe(E)) and (Pe(E), Pb(X,W). We can 
now define the security of (Pa,Pb)- 

Definition 4.1. An interactive protocol (Pa, Pb), executed by Alice and Bob on a communication 
channel fully controlled by an active adversary Eve, is a (k, m, e)-privacy amplification protocol if 
it satisfies the following properties whenever H 00 (X\E) > k: 

1. Correctness. If Eve is passive, then Pi[Ra = Rb A Ra t^-L A Rb t^-L] = 1. 
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2. Robustness. We start by denning the notion of pre- application robustness, which states that 
even if Eve is active, Pt[Ra ^ Rb A Ra A Rb t^-L] ^ e. 

The stronger notion of post- application robustness is defined similarly, except Eve is addition- 
ally given the key Ra the moment she completed the left execution (Pa,Pe), and the key 
Rb the moment she completed the right execution (Pe,Pb)- For example, if Eve completed 
the left execution before the right execution, she may try to use Ra to force Bob to output 
a different key Rb {Ra, -L}, and vice versa. 

3. Extraction. Given a string r G {0, l} m U{_L}, let purify(r) be _L if r =_L, and otherwise replace 
r t^_L by a fresh m-bit random string U m : purify(r) <— U m . Letting E' denote Eve's view of 
the protocol, we require that 



A((R A ,E'),(punfy(R A ),E'))<e and A((R B , E'), (purify^), E')) < e 

Namely, whenever a party does not reject, its key looks like a fresh random string to Eve. 

The quantity k — m is called the entropy loss and the quantity log(l/e) is called the security 
parameter of the protocol. 

5 Alternating Extraction Protocol and Look Ahead Extractor 

An important ingredient in our construction is the following alternating extraction protocol modified 
from that in [DW09]. 

Qucntin: Q, So Wendy: X 



So > 



< — R = Raz(S ,X) 



Si = Ext 9 (Q, R ) — ► 



< Ri = Ext™ {X, S x ) 



^2 = Ext g (Q, iJx) >■ 



< R 2 = Ext w (X, 5 a ) 



S t = Ext„(Q, Rt^) > 



R t = Ext w (X,S t ) 



Figure 1: Alternating Extraction. 



Alternating Extraction. Assume that we have two parties, Quentin and Wendy. Quentin has 
a source Q, Wendy has a source X. Also assume that Quentin has a weak source Sq with entropy 
rate > 1/2 (which may be correlated with Q). Suppose that (Q, So) is kept secret from Wendy and 
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X is kept secret from Quentin. Let Ext 9 , Ext w be strong seeded extractors with optimal parameters, 
such as that in Theorem 3.16. Let Raz be the strong two-source extractor in Theorem 3.17. Let 
d be an integer parameter for the protocol. For some integer parameter t > 0, the alternating 
extraction protocol is an interactive process between Quentin and Wendy that runs in t + 1 steps. 

In the O'th step, Quentin sends So to Wendy, Wendy computes Ro = Raz(So,X) and replies Ro 
to Quentin, Quentin then computes S± = Ext q (Q,R ). In this step Ro,Si each outputs d bits. In 
the first step, Quentin sends S± to Wendy, Wendy computes R\ = Ext w (X, Si ) . She sends R± to 
Quentin and Quentin computes S2 = Ext q (Q, Ri). In this step R\, S2 each outputs d bits. In each 
subsequent step i, Quentin sends Si to Wendy, Wendy computes Ri = Ext w (X, Si). She replies 
Ri to Quentin and Quentin computes Sj+i = Ext q (Q,Ri). In step i, Ri,Si+\ each outputs d bits. 
Therefore, this process produces the following sequence: 

S , Ro = Raz(S , X),Si = Ext 3 (Q, R ), Ri = Ext w (X, 50, • • • , 
St = Ext q (Q,R t -i),R t = Ext w (X, S t ). 

Look- Ahead Extractor. Now we can define our look-ahead extractor. Let Y = (Q, So) be a 
seed, the look-ahead extractor is defined as 

laExt(X, Y) = laExt(X, (Q, S )) = J Ry, ■ ■ ■ , R t . 

Note that the look-ahead extractor can be computed by each party (Alice or Bob) alone in our 
final protocol. We now have the following lemma. 

Lemma 5.1. In the alternating extraction protocol, assume that X has n bits and Q has at most 
n bits. Let e > be a parameter and d = 0(logn + log(l/e)) > log(l/e) be the number of random 
bits needed in Theorem 3.16 to achieve error e. Assume that X has min- entropy at least 12d 2 , Q 
has min-entropy at least lid 2 and So is a (40d, 38c?) source. Let Ext w and Ext q be strong extractors 
in Theorem 3.16 that use d bits to extract d bits. Let t = Ad. 

Let (Q',S' ) be another distribution on the same support of (Q,So) such that (Q, So, Q' , S' ) 
is independent of X. Now run the alternating extraction protocol with X and (Q',S' Q ) where in 
each step we obtain S^R^. For any i, < i < t — 1, let Si = (So,-- - ,Si), S^ = (S ,--- ,3^), 
Ri = (Ro, • • • , Ri) and R' { = (R' , ■ ■ ■ , R^). Then for any i, < i < t — 1, we have 

(Ri, Si-i, S' i _ 1 , Ri-i, R'i_i, Si, Sj', Q, Q') ~(2i+2)e (Ud, Sj_i, S' i _ 1 , R4-1, R\_\, Si, S[,Q,Q'). 

Proof. We first prove the following claim. 
Claim 5.2. In step 0, we have 

(Ro, So, S' , Q, Q') ~ e (Ud, So, S' , Q, Q') 

and 

(S\,Ro, So, R'o, S'q) «3 e (Ud, Ro, So, R' , S' Q ). 

Moreover, conditioned on (So,S' Q ), (Ro,R' Q ) are both deterministic functions of X; conditioned on 
(Ro, Sq, R'q, S' ), (Si,S[) are deterministic functions of(Q,Q'). 
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Proof of the claim. Note that Sq is a (40d, 38c?) source. Thus by Theorem 3.17 we have that 



(Rq,S )^ € (U d ,S ). 

Since conditioned on Sq, Rq is a deterministic function of X, which is independent of (Q,Q'), 
we also have that 

(Rq, Sq, Sq, Q, Q') ~ t (Ud, Sq, Sq, Q, Q'). 

Now we fix (Sq, S' ) and (Rq, R' ) are both deterministic functions of X. Since the size of (Sq, S' ) 
is at most 80d, by Lemma 3.19 we have that with probability 1 — e over these fixings, Q is a source 
with entropy Wd 2 . Since Rq,R' q are both deterministic functions of X, they are independent of Q. 
Therefore by Theorem 3.16 we have 

(Si,Rq,R' q ) m e (Ud,Ro,R )- 

Thus altogether we have that 

(Si, Rq, So,R , S'q) «3 e (Ud, Rq, Sq, Rq, Sq) 
Moreover, conditioned on (Rq, Sq, R' , S' ), (Si,S[) are deterministic functions of (Q,Q'). □ 

Now we fix (Rq, Sq, R' , S' ). Note that after this fixing, Si, S[ are are deterministic functions of 
(Q,Q')- Note that with probability 1 — e over this fixing, Q has min-entropy at least Wd 2 . 
We now prove the lemma. In fact, we prove the following stronger claim. 

Claim 5.3. For any i, we have that 

(Ri, Si-i, S' i _ 1 , Ri-i, R[_i, Si, S[, Q, Q) ~(2i+2)e (Ud, <Si-i> S' i _ 1 , Ri-i, R' i _ 1 , Si, S'i, Q, Q) 
and 

(Si+i,Si,S' i ,Ri,R' i ) ~(2i+3)e (Ud,Si,S' i ,Ri,R' i ). 

Moreover, conditioned on (Si-i, 5 r ^_ 1 , R%-i, R'^i, Si, S'^j, (RijR'j) are both deterministic functions 
of X; conditioned on (Si, S' { , Ri, R' { ), (Si + ±, S' i+1 ) are deterministic functions of(Q,Q'). 

We prove the claim by induction on i. When i = 0, the statements are already proved in 
Claim 5.2. Now we assume that the statements hold for i = j and we prove them for i = j + 1. 

We first fix (Sj, Sj, Rj, R'j). Since now (Sj+i, Sj +1 ) are deterministic functions of (Q,Q'), they 
are independent of X. Moreover Sj+i is (2j+3)e-close to uniform. Note that the average conditional 
min-entropy of X is at least 12d 2 — 2d ■ Ad > Ad 2 . Therefore by Theorem 3.16 we have that 

(Rj+i, Sj, S'j, Rj, Rj, Sj+i, Sj + i) ~(2j+4)e (Ud-, Sj, Sj, Rj, R'j, S^+i, Sj +1 ). 
Since (Sj+i, S'j +1 ) are deterministic functions of (Q,Q'), we also have 

C^j+i) Sj, S'j, Rj, R'j, Sj+i, Sj + i, Q, Q) ~(2j+4)e (Ud, Sj, S'j, Rj, R'j, S^+i, Sj + i, Q, Q). 
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Moreover, conditioned on (Sj, Sj, Rj, Rj, Sj+i, S'j +1 ), (Rj+i, R'j+i) ar e both deterministic func- 
tions of X. 

Next, since conditioned on (Sj, S'j,Rj,R'j,Sj + \, SJ +1 ), (Rj+i, Rj+i) are both deterministic func- 
tions of X, they are independent of (Q, Q'). Moreover Rj+i is (2j + 4)e-close to uniform. Note that 
the average conditional min-entropy of Q is at least 10(i 2 — 8d 2 = 2d 2 . Therefore by Theorem 3.16 
we have that 

(Sj+2, Sj, Sj, Rj,R'j, Sj+i, S'j + i, Rj+i, Rj+i) 
~(2j+5)e(Ud, Sj, Sj, Rj, Rj, Sj + i, Sj + i, Rj+i, Rj+i)- 

Namely, 



(Sj+2, Sj+i, Sj +l ,Rj + i,Rj +l ) ~(2(j+i)+3)e (Ud, Sj + \,S'j +l , Rj + i,R'j +l ). 

Moreover, conditioned on (Sj + \, S'j +1 , Rj+i, Rj+i) > (Sj+2, ^+2) are deterministic functions of (Q, Q'). 

□ 

6 Non-Malleable Condensers for Arbitrary Min-Entropy 

In this section we give our construction of non-malleable condensers for arbitrary min-entropy. 
First, we need the following definitions and constructions from [DW09]. 

Definition 6.1. [DW09] Given S\,S2 Q {Ir -- >*}j we sa Y that the ordered pair (Si,^) is top- 
heavy if there is some integer j such that \S^\ > |S^'|, where S- J = {s G S\s > j}. Note that it 
is possible that (Si, S2) and (S2, Si) are both top-heavy. For a collection ^ of sets Sj C {1, • • • , t}, 
we say that ^ is pairwise top-heavy if every ordered pair (Si, Sj) of sets Sj, Sj G \P with i ^ j, is 
top-heavy. 

Now, for any m-bit message \i = (b%, ■ ■ ■ ,b m ), consider the following mapping of ^ to a subset 
S C {I,-- - ,4m}: 

f(n) = f(bi, ■■■ ,b m ) = {Ai - 3 + bi,4d - bi\i = !,■■■ ,m} 

i.e., each bit 6, decides if to include {Ai — 3, Ai} (if 6j = 0) or {Ai — 2, Ai — 1} (if b{ = 1) in S. 
We now have the following lemma. 

Lemma 6.2. [DW09] The above construction gives a pairwise top-heavy collection ^ of 2 m sets 
S Q {1, • • • ,t} where t = Am. Furthermore, the function f is an efficient mapping of \x G {0, l} m 
to Sp. 

Now we have the following construction. 

Let r G ({0, l} d )* be the output of the look-ahead extractor defined above, i.e., r = (r±, ■ ■ ■ , r t ) = 
laExt(X, (Q, So)). Let \& = {Si, • • • , S2™} be the pairwise top-heavy collection of sets constructed 

de / 

above. For any message /U G {0, l} m , define the function laMAC r (/i) = [rj|i G S M ], indexed by r. 
Now we can describe our construction of the non-malleable condenser. 
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Algorithm 6.3 (nmCond(x, y)). 

Input: £-an integer parameter, x — a sample from an (re, &)-source with k > 60<i 2 . y-an 
independent random seed with y = (yi,y 2 ) such that y\ has size d = 0(logn + i) > 5£ and y2 
has size 12d 2 . 

Output: z — an m bit string. 
Sub-Routines and Parameters: 

Let nmExt be the non- malleable extractor from Theorem 3.18, with error 2 -4 ^. 

Let Ext be the strong extractor with optimal parameters from Theorem 3.16, with error 2~ 5e . 

Let laExt be the look-ahead extractor defined above, using Ext as Ext,j and Ext s . laExt is set up 

to extract from x using seed (q, so) such that q = y2 and so is the string that contains the first 

40a! bits of ?/2, and output a string r G ({0, l} d ) t with t = Ad. 

Let laMAC r (^) be the function defined above. 

1. Compute w = Ext(x,yi) with output size 20d 2 and r = laExt(x, (q,so)). 

2. Output z = (nmExt(z/;, 2/2), laMAC r (yi)) such that nmExt(w,y 2 ) has size 8d 2 . 



We can now prove the following theorem. 

Theorem 6.4. There exists a constant C > such that given any s > 0, as long as k > C(logn + 
■s) 2 , the above construction is a (k, s,2~ s ) -non-malleable condenser with seed length 0(logn + s) 2 
and output length 0(logn + s) 2 . 

Proof. Let A be any (deterministic) function such that Vy G Supp(y), A(y) 7^ y. We will show that 
for most y, with high probability over the fixing of nmCond(X, A(y)), nmCond(X, y) is still close 
to having min-entropy at least I. Let Y' = A(Y). Thus Y' ^ Y . In the following analysis we will 
use letters with prime to denote the corresponding random variables produced with Y' instead of 
Y. Let Vi = nmExt{W,Y 2 ) and V 2 = laMACflfKi). Thus Z = (V 1 ,V 2 ). We have the following two 
cases. 

Case 1: Y\ = Y[. In this case, since Y' ^ Y, we must have that Y 2 7^ Y 2 . Now by Theorem 3.16 
we have that 

(W,ri)ra 2 -« {U,Y{). 

Therefore, we can now fix Y\ (and thus Y(), and with probability 1 — 2~ e over this fixing, W 
is 2~ 4 ^-close to uniform. Moreover, after this fixing W is a deterministic function of X and thus is 
independent of Y 2 . Note also that after this fixing, Y^ is a deterministic function of Y 2 . Thus by 
Theorem 3.18 we have that 

(V u Vl,Y 2) Yi) n <2-«) (U 8d 2,Vl,Y 2 ,Y>). 

Therefore, we can now further fix Y 2 (and thus Y 2 ') an d with probability at least 1 — 0(2~ e ) over 
this fixing, (Vi, V/) is 2- 3£ -close to (U 8cP ,V{). Thus we can further fix V{, and with probability at 
least 1 — 2~ IL over this fixing, V\ is 2 -2 ^-close to uniform. Now note that V\ has size 8d 2 and V 2 has 
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size 2d 2 . Thus by Lemma 3.21, we can further fix V 2 \ and with probability at least 1 — 2 • 2~ i over 
this fixing, V\ is 2^-close to having min-entropy at least 8d 2 — 2d 2 — £ > 5d 2 . 

Thus in this case we have shown that, with probability 1 — 0(2~ i ) over the fixing of Y , with 
probability 1 — 0(2~ i ) over the fixing of Z', Z is 2 -close to having min-entropy at least 5d 2 > 5£ 2 . 

Case 2: Y\ ^ Y[. In this case, we first fix Y\ and Y[. Note that after this fixing, W and W 
are now deterministic functions of X. We now further fix W and W' and after this fixing, X and 
Yz are still independent. Since the total size of (W, W) is 40d 2 , by Lemma 3.19 we have that with 
probability 1 — 2~ 21 over this fixing, X still has min-entropy at least 60d 2 — AOd 2 — 2t> 12d 2 . Note 
also that after this fixing, Y 2 ' is a deterministic function of Y 2 . However, since Y( may be a function 
of Y2, fixing Y[ may cause Y2 to lose entropy. Note that Y[ only has size d, thus by Lemma 3.19, 
with probability 1 — 2 • 2~ 2e - over the fixing of iY\,Y[), we have that Y2 has min-entropy at least 
\2d 2 - d - 2i > \\d 2 and S has min-entropy at least iOd - d - 21 > 38d. 

Now assume that X has min-entropy at least 12<i 2 , Y2 has min-entropy at least lid 2 and 
So has min-entropy at least 38d This happens with probability at least 1 — 0(2~ e ). For any 
i,0<i<t-l,let Si = (S ,--- ,Si), S'^iS'o,--- ,S'J,Ri = (Ro,--- , Ri) and % = (R' , ■ ■ ■ ,R' i ). 
Now by Lemma 5.1 (note that Y2 = (Q, So)) we have that for any i, < i < t — 1, 

(Ri, Si-i, iS'^_ 1 ,-Ri_i,i2j_ 1 , Si, S'i,Y2) ~(2i+2)2- M {Ud-> Si-\,S' i _ 1 ,Ri-\,R' i _ x ,Si, S'i, Y2). 
Therefore, we have that for any i, 

(Ri, Ri-l, R'i-l, Y2) ~(2i+2)2-« {Ud, Ri-l, R'i-l,^)- 

Thus, for any i, with probability 1 — 2~ 1 ' 25e over the fixing of Y2, we have 

(Ri, Ri-l, R'i-l) ~(2i+2)2-3-75« (U d , R4-1, R'i_l)- 

By the union bound, we have that with probability 1 — i2~ 1,25 ^ over the fixing of Y2, for any i, 

(Ri, Ri-l, R'i-l) ~(2i+2)2- 3 - 7 « (Ud, Ri-l, R'i-l)- 

Consider a typical fixing of Y 2 . Now note that V 2 = laMACfl(Yi) and V 2 ' = \aMAC R/ (Y{). Let 
the two sets in Lemma 6.2 that correspond to Y\ and Y[ be H and H' . Since Y\ 7^ Y{, by definition 
there exists j G [Ad] such that \H^\ > \H'^\. Let I = \H^>\. Thus / < t and \H'^\ < I - 1. Let 
Rh be the concatenation of {Ri,i G H-i} and R' H , be the concatenation of {R'i,i G H'-i}. 

By the above equation and the hybrid argument we have that 

(RH,Rj-i,R'j-i) ~3t 2 -2- 3 - 7M (Uid,Rj-i,Rj-i)- 

Thus now we can first fix R'j_i, and with probability 1 — 2~ L25f over this fixing, we have 

RH ~ 3f 2. 2 -2.5£ Uld- 

We now fix R' H i- Since \H'-i\ < I — 1, the size of R' H , is at most (I — l)d. Thus by Lemma 3.21 
we have that with probability at least 1 — (3t 2 + 1) • 2 _L25f over this fixing, Rh is 2~ L2M -close to 
having min-entropy d — 1.25P > I. Note that after we fix R'j_i and R' H i, we have also fixed V^- 
Since W and Y 2 ' are already fixed, V[ is also fixed. Thus Z' is fixed. Therefore altogether we have 
that with probability 1 — 2 • 2~ 2 ^ — t2~ 1 - 25e = 1 — 0(2~ e ) over the fixings of Y, with probability 
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1 - 2~ 1 - 25e - (3t 2 + 1) • 2~ 1 - 2U = 1 - 0(2-') over the fixings of Z' , Z is 2- L25£ -close to having 
min-entropy I. 

Combining Case 1 and Case 2, and notice that the fraction of "bad seeds" that an adversary 
can achieve is at most the sum of the fraction of bad seeds in both cases. Thus by choosing an 
appropriate I = O(s) we have that the construction is a (k, s, 2~ s )-non-malleable condenser with 
seed length 0(logn + s) 2 . ■ 

The following theorem is proved in [Lil2a]. 

Theorem 6.5. [Lil2a] There exists a constant C > 1 such that the following holds. For any 
integers n,k and e > 0, assume that there is an explicit (k,k' , e) -non-malleable condenser with 
seed length d such that k' > C(logn + log(l/e)). Then there exists an explicit 2-round privacy 
amplification protocol for (n,k) sources with entropy loss 0(log n + log(l/e)) and communication 
complexity 0(d + logn + log(l/e)). 

Combining the above theorem and theorem 6.4, we immediately get a 2-round privacy amplifi- 
cation protocol with optimal entropy loss for any (n, k) source. 

Theorem 6.6. There exists a constant C such that for any e > with k > C(logn + log(l/e)) 2 , 
there exists an explicit 2-round privacy amplification protocol for (n, k) sources with security param- 
eter log(l/e), entropy loss 0(logn + log(l/e)) and communication complexity 0(logn + log(l/e)) 2 . 

In fact, we have a slightly simpler protocol that uses the look- ahead extractor and MAC some- 
what more directly, while achieving the same performance. 

We assume that the shared weak random source has min-entropy k, and the error e we seek 
satisfies e < 1/n and k > C(logn + log(l/e)) 2 for some constant C > 1. For convenience, in 
the description below we introduce an "auxiliary" security parameter s. Eventually, we will set 
s = log(C'/e) + O(l) = log(l/e) + 0(1), so that C'/2 S < e, for a sufficiently large constant C 
related to the number of "bad" events we need to account for. We need the following building 
blocks: 

• Let Ext be a (k, 2 _5s )-extractor with optimal entropy loss and seed length d = 0(log n + s) > 
202s, from Theorem 3.16. Assume that k > 15d 2 . 

• Let Raz be the two source extractor from Theorem 3.17. 

• Let MAC be the ("leakage-resilient") MAC, as in Theorem 3.12, with tag length v = 2s and 
key length i = 2v = As. 

• Let laExt be the look-ahead extractor defined above, using Ext as Ext g and Ext s . laExt is set 
up to extract from x using seed (q, so) such that q = y2 and so is the string that contains the 
first 40d bits of y2, and output a string r € ({0, l} rf )* with t = Ad. 

• Let laMAC r (/x) be the function defined above. 

• In the protocol Alice will sample three random strings Y\ , Yi , I3 , with size d, 12d 2 and 50d 2 
respectively. 

Using the above building blocks, the protocol is given in Figure 2. To emphasize the adversary 
Eve, we use letters with 'prime' to denote all the variables seen or generated by Bob; e.g., Bob 
picks W' , but Alice may see a different W, etc. 
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Alice: X 



Eve: E 



Bob: X 



Sample random Y = (Yj., Y 2 , Y 3 ). 
Compute i? 2 = laExt(X,y 2 )- 
Z= laMAC fl2 (yi). 
i?i = Ext(X, Y\) and output 4s bits. 



(Yi,Y 2 ,Y 3 ) 



Sample random W' with d bits. 

Compute R' 2 = laExt(X, y 2 '). 

Z^laMACfljO^). 

i?i = Ext(X, 7/) and output 4s bits. 

T{ = Raz(Y 3 ',Z') with s bits, 

Ti = MAC R ,(W>). 

Set final i? B = Ext(X, W). 



(W,T 1 ,T 2 ) «• 



If Ti ^ Raz(F 3 ,Z) or 
T 2 ^ MAC Rl (W) reject. 
Set final R A = Ext(X, W). 



Figure 2: 2-round Privacy Amplification Protocol. 



Theorem 6.7. Assume that k > C(logn + log(l/e)) 2 for some constant C > 1. The above protocol 
is a privacy amplification protocol with security parameter log(l/e), entropy loss 0(log(l/e)) and 
communication complexity 0(log(l/e) 2 ). 

Proof. The proof can be divided into two cases: whether the adversary changes Y\ or not. 

Case 1: The adversary does not change Y\. In this case, note that R\ = R[ and is 2 -5s -close to 
uniform in Eve's view (even conditioned on Yi,Y2,Y^). Thus the property of the MAC guarantees 
that Bob can authenticate W' to Alice. However, one thing to note here is that Eve has some 
additional information, namely T{ which can leak information about the MAC key. On the other 
hand, the size of T[ is s, thus by Lemma 3.9 the average conditional min-entropy -ffoo(-Ri|7i) is 
at least 3s. Therefore by Theorem 3.12 the probability that Eve can change W to a different W 
without causing Alice to reject is at most 



When W = W' ', by Theorem 3.16 Ra = Rb and is 2 _5,s -close to uniform in Eve's view. 

Case 2: The adversary does change Y\. Thus we have Y\ ^ Y{. Here the proof is similar to the 
proof of the non- malleable condenser. We first fix Y\ and Y(. Note that after this fixing, R± and R[ 
are now deterministic functions of X. We now further fix R\ and R^ and after this fixing, X and 
(Y2,Ys) are still independent. Since the total size of is 8s, by Lemma 3.19 we have that 

with probability 1 — 2~ 2s over this fixing, X still has min-entropy at least 15c? 2 — 8s — 2s > 12d 2 . 
Note also that after this fixing, Y 2 ' IS a deterministic function of iY2,Y^). However, since Y[ may 
be a function of Y2, fixing Y{ may cause Y2 to lose entropy. Note that Y( only has size d, thus by 
Lemma 3.19, with probability 1 — 2-2 _2s over the fixing of (Y\,Y{), we have that Y 2 has min-entropy 
at least 12d 2 — d — 2s > lid 2 and Sq has min-entropy at least 40<i — d — 2s > 38d 



^1 2 2s - H °°( R i\ T l 
2s 



) + 2~ 5s < 0(2 2s " 3s ) + 2^ 5s < 0(2" s ). 
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Now assume that X has min-entropy at least 12d 2 , Y 2 has min-entropy at least lid 2 and 
So has min-entropy at least 38d. This happens with probability at least 1 — 0(2~ s ). For any 
i,0<i<t-l,let Si = (S ,--- ,Si), S< = (S&,--. ,S! i ),R i = (R ,--- ,Ri) and ^ = (R' , ■ ■ ■ ,R' i ). 
Again by Lemma 5.1 we have that for any i, 

(Ri, Si-ijS'^, Ri-i, R'i_i, Si, Si, Y 2 , Y£) ~(2i+2)2- 5s (Ud, S'i-i, S'i-i) -Rj-ij-Ri-i) S^, I2, ^2)- 
Thus for any i, we have 

-Ri_ l5 ^2, ^2') ~(2i+2)2- 5s {U d ,Ri-i,R' i _ 1 ,Y 2 ,Y 2 ). 

Now by the same analysis as in the proof of the non-malleable condenser (and recall that Y\ ^ 
Y{), we have that with probability 1 — t2 _L25£ over the fixing of (Y^jY^), with probability at least 
1 - (3t 2 + 1) • 2~ 125s over the fixing of Z', Z is 2~ 125s -close to having min-entropy d- 1.25s > 200s. 

Note that we have now fixed (Yi, Y(, Y 2 , Y£) an d (Ri, R'i, Z'). After all these fixings, Z is a 
deterministic function of X and is 2 _1 ' 25s -close to having min-entropy 200s. Thus Z is independent 
of Y3 (note that Z' is also a deterministic function of X, thus fixing Z' does not influence the 
independence of Z and Y3). Note that after these fixings, Y^ is a deterministic function of Y3, and 
since the size of (Y{, Y 2 ') is d + 12d 2 < 13d 2 , by Lemma 3.19 Y 3 is 2~ s -close to having min-entropy 
50d 2 - 13d 2 - s > 36d 2 . Thus by Theorem 3.17 we have 

(Raz(Y 3 ,Z),Y 3 X) «0(2-) (U S ,Y 3 X). 
Since we already fixed (Yi, Y[, Y 2 , Y£) and (R\, R[, Z'), and W is independent of all random 
variables above, this also implies that 

(Raz(Y" 3 , Z),R[, Z', Y, Y', W') « 0(2 - s) (U s , R[, Z', Y, Y\ W'). 
Note that T[ = Raz(y 3 ',Z') and T' 2 = MAC# (W). Thus we have 

(Rzz(Y 3 ,Z),T{X,Y,Y',W) « 0(2 - s) (U S ,T{X,Y,Y',W'). 

Therefore, the probability that the adversary can guess the correct T\ is at most 2~ s + 0{2~ s ) = 
0{2~ s ). For an appropriately chosen s = log(l/e) + 0(1) this is at most e. Note that conditioned 
on the fixing of Y, the random variables that are used to authenticate W' are (Ri,T\), which are 
deterministic functions of X and have size O(s), thus the entropy loss of the protocol is (9(log(l/e)). 
The communication complexity can be easily verified to be 0(log(l/e) 2 ). □ 

7 Improved Privacy Amplification Protocol for Smaller Error 

The 2-round protocol described above only works for security parameter up to r2(\//c). In this 
section we generalize the above protocol and give a protocol that can achieve security parameter 
up to Q(k), or equivalently, error as small as 2~ Q ( k \ First we need the following definition and 
theorem. 

Definition 7.1. For any two strings c and c' of length A c , let EditDis(c, c') denote the edit distance 
between c and d , i.e., the minimum number of single-bit insert, delete or alter operations required 
to change string c into d . 
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Definition 7.2. [CKOR10] Let m G {0, l} Am . For some constant < e < 1, a function Edit : 
{0, l} Am — > {0, l} Ac is a (A m ,e,p)- code for edit errors, if p\ c = A m and the following properties 
are satisfied: 

• c = Edit(m) can be computed in polynomial (in A m ) time, given m, for all m G {0, l} Am . 

• For any m,m' G {0, l} Am with m ^ m', EditDis(c, d) > eA c , where c = Edit(m) and d = 
Edit(m'). 

p = ^ is called the rate of the code. 

As in [CKOR10] the code we use is due to Schulman and Zuckerman [SZ99]: 

Theorem 7.3 ([SZ99, CKOR10]). Let < e < 1 be a constant. Then for some constant < p < 1 
i/iere exists a (A m ,e, p)-code for edit errors. 

We assume that the shared weak random source has min-entropy k > log 4 n, and the error e 
we seek satisfies 2~ /3k < e < 2~ f2 ( v ^ for some constant (3 < 1. Again, in the description below we 
will introduce an "auxiliary" security parameter s with s = C"(log(l/e)) for some sufficiently large 
constant C . We will also use another parameter i = a\fk for some constant < a < 1 such that 
k > C(logn + 1) 2 for some constant C > 1. We need the following building blocks: 

• Let Exti be a (/c, 2 _s )-extractor with optimal entropy loss and seed length d\ = 0(logn + s) = 
O(s) > 2s, from Theorem 3.16. 

• Let Ext 2 be a (k, 2" 1(M )-extractor with seed length d 2 = 0(logn + I) = 0(£) > 404£ and 
output length d 2 , from Theorem 3.16. Assume that k > d\j p + 2s + 15d|. 

• Let Raz be the two source extractor from Theorem 3.17. 

• Let MAC be the ("leakage-resilient") MAC, as in Theorem 3.12, with tag length v = 2d\/ p 
and key length 2v = 4d\j p. 

• Let laExt be the look-ahead extractor defined above, using Ext 2 as Ext g and Ext s . laExt is set 

up to extract from x using seed (q,so) such that q = y 2 and so is the string that contains the 
first 40g?2 bits of y 2 , and output a string r G ({0, l}^ 2 )' with t = 4d 2 . 

• Let laMAC r (//) be the function defined above. 

• In each phase of the protocol Alice will sample two random strings Yi 2 ,Y^, with size 12^ 
and bOd?, respectively. 

Given these building blocks, our protocol runs in roughly L = d\/{pd 2 ) phases. The protocol is 
given in Figure 3. 

We now have the following theorem. 

Theorem 7.4. The probability that Eve can successfully change Y into Y' ^ Y without causing 
either Alice or Bob to reject is at most 2~^( s ) . 
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Alice: X 



Eve: E 



Bob: X 



Sample random Y with d\ bits. 

Let M = Edit(F). M has length d 1 /p. 

Divide M sequentially into L blocks 

M = Mi o • • • o M L 

with each block having d 2 bits. 

Sample random ^Yv2.,Y\%). 

Compute Ri = laExt(X, Y 12 ). 

Zi = laMAC fll (Mi). 



Phase 1 



IfT 1 ^Raz(y 13) ^ 1 ) reject 

For i = 2 to L 

Sample random (1*2, 3^3 )■ 

Vi_i = Ext 2 (X, Wi-i) with 2£ bits. 

Rt = \aExt(X,Y a ). 

Zi = laMAC fli (M 4 ). 



If Ti + Raz(y i3 ,-Zi) reject. 
EndFor 



i? = Exti(X, F) with 4di/p bits. 
y L = Ext 2 (X, W L ) with 2£ bits. 



If TV MACr(W) reject. 
Set final R A = Exti{X,W). 



(Y, M l , Y 12 , y 13 ) ► (V, M{ , F/ 2 , F/ 3 ) 



(Wi,Ti)< (WM) 



Phases 2..L 



(Yi-uMuY^Yu) > ( V(_ i, Mi, F/ 2 , Y/ 3 ) 



Phase L + 1 



(Vh) — ■* (V[) 



(W,T) i (W',T') 



Sample random W[ with d 2 bits. 
Compute R[ = laExtpT, Y{ 2 ). 
Z[ = \aMAC Ri (M{). 
T{ = Raz(F 1 / 3 ,Z 1 ) with 2i bits. 



For i = 2 to L 



UVU^^2(X,WU) reject 

Sample random W[ with d 2 bits. 

R\ = laExt(X,F/ 2 ). 

Z| = laMAC^(M-). 

T( = Raz(F/ 3 ,X') with 2^ bits. 



EndFor 

M' = M{ o---oM' L . 

If M' ^ Edit(F') reject. 

i?' = Exti(Jf,Y') with 4di/p bits. 



If V[ ? Ext 2 (X,W' L ) reject. 
Sample random W' with d\ bits. 
T = MAC R ,(W). 
Set final R B = Ext x (X, W). 



Figure 3: (2L + 2)-round Privacy Amplification Protocol for H 00 (X\E) > k. 



24 



Proof. We analyze the transcript of the protocol in Eve's view. Normally, Eve should do alternate 
interactions with Alice and Bob to send the encoded string M. However, since Eve is adversarial, 
she may do several interactions with Alice or Bob before she resumes interaction with the other. If 
Eve interacts with Alice twice before she interacts with Bob, then this can be viewed as deleting 
the first block of message that Alice sends. We call this operation "D" . If Eve interacts with Bob 
twice before she interacts with Alice, then this can be viewed as inserting a block of message to 
Bob. We call this operation "I". If Eve does not do the above two operations but changes some 
Mi into a different string M[ and sends it to Bob, then this can be viewed as altering this block of 
message. We call this operation "A" . 

Now if Eve successfully changes Y into Y' ^ Y without causing either Alice or Bob to reject, 
then she must also successfully changes M = Edit(Y) to M' = Edit(Y') without causing either 
Alice or Bob to reject, by a series of (D, I, A) operations. During these operations, we say that at 
some point Eve has to answer a challenge if Eve has to correctly guess the value of a string that is 
(close to) uniform even conditioned on the fixing of all transcripts up to this time. We now have 
the following lemma. 

Lemma 7.5. For all (D, I, A) operations, except A operations that are immediately followed by I 
operations, Eve has to answer a challenge. 

Proof of the lemma. We shall be imprecise about the numbers here. The exact numbers will appear 
in our next lemma. Note that in the whole protocol the total size of the messages that contain 
information about X (the (V,V')s and (T,T')s) is at most L(8£) = d\/(pdi) ■ (8£) < d\j p and 
k > d\j p + 2s + 15d|. Thus at any time even if conditioned on the fixing of the transcript, X still 
has a lot of entropy. 

Now if Eve performs a D operation after Alice sends out (V^_i, Mj, Y^j Y^), then by definition 
Eve is going to interact with Alice again without interacting with Bob. However Alice is not going 
to do anything until she receives a response Tj from Bob and checks that Tj = Raz(Yj3, Zi). By 
the same analysis in Theorem 6.7, even if conditioned on the transcript, Raz(Yj3, Zi) is close to 
uniform. Thus Eve has to answer a challenge. 

If Eve performs an / operation after Bob sends out (W(, T-), then by definition Eve is going to 
interact with Bob again without interacting with Alice. However Bob is not going to do anything 
until he receives a response V- from Alice and checks that V- = Ext2^, W-). Since conditioned on 
the transcript X has a lot of entropy and W[ is uniform and independent of the transcript and X, 
we have that Ext2(X, W[) is close to uniform. Thus Eve has to answer a challenge. 

If Eve performs an A operation that is not followed by an / operation, then by definition 
Eve alters an message Mj to M[, sends it to Bob and next she is going to interact with Alice 
(otherwise Eve is going to perform an / operation). Conditioned on the fixing of the transcript 
before Alice sends out (V^_i, Mi, Yi2, Y^), this is exactly the 2-round protocol as in Theorem 6.7. 
Since conditioned on the transcript X has a lot of entropy and Mi ^ M[, by the same analysis in 
Theorem 6.7, even if further conditioned on the transcript of these two rounds, Raz(Yj3, Zi) is close 
to uniform. Thus Eve has to answer a challenge. 

We note that if Eve performs an A operation followed by an / operation, then the above 
argument may not work (Eve may not have to answer a challenge for the A operation), because the 
subsequent messages sent out by Bob induced by the / operation may give additional information 
about Raz(Yj3, Zi). ■ 

Our next lemma bounds the probability that Eve successfully answers a challenge. 
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Lemma 7.6. For any i E N, let Hi stand for the event that Eve successfully answers the i 'th 
challenge and Ei = H l j =1 Hj stand for the event that Eve successfully answers all the challenges up 
to the i'th challenge. Then ifVx[Ei] > 2~ s , we have 

Pr^+il^] < 2- £ . 

Proof of the lemma. Note that in the whole protocol the total size of the messages that contain 
information about X (the Vs and Ts) is at most L(8£) = d\/(pd 2 ) ■ (81) < d\j ' p and k > d\j p + 2s + 
15d 2 . Thus by Lemma 3.19, at any time, with probability 1 — 2~ 2s over the fixing of the previous 
transcript, X has min-entropy at least k — d\j p — 2s > 15^2- 

Now we fix the transcript up to the time before Eve answers the i + l'th challenge. The 
transcript thus determines if Eve successfully answers all previous i challenges. Now consider the 
transcripts that are in Ei. If Pr[£y > 2 _s , we have that conditioned on Ei, with probability at 
least 1 — 2~ 2s / Pr[Ei] > 1 — 2~ s over the fixing of the transcript, X has min-entropy at least 15d 2 . 

Now assume X indeed has min-entropy at least lbd 2 .. If for the i + l'th challenge, Eve performs 
a D operation or an A operation not followed by an / operation, then by the same analysis in 
Theorem 6.7, Pr[iT i+ i] < Oi2r 21 ). If Eve perfor ms an I operation, then by Theorem 3.16, we have 
(Ext 2 pT, W[),W'i) »2-im (U 2 £,Wl). Thus we have Pr[£T i+ i] < 2~ 2£ + 2~ we = 0(2~ 2e ). Adding 
back the error 2~ s , we have 

Pr^+xl^] < 0(2~ 2i ) + 2~ s < 2-f 

■ 

Our last lemma bounds the number of challenges that Eve has to answer. 

Lemma 7.7. If Eve successfully changes Y into Y' without causing either Alice or Bob to re- 
ject, then she successfully answers at least 2eL/3 challenges, where e is the constant in Theorem 7.3. 

Proof of the lemma. If Eve successfully changes Y into Y' ^ Y, then she also successfully changes 
M = Edit(y) to M' = Edit(y'). Let a be the number of D operations Eve performs, b be the 
number of / operations Eve performs and c be the number of A operations Eve performs. Since an 
operation on a block with size d 2 is at most d 2 operations on the bits, by the property of the edit 
distance code, we have 

(a + b + c)d 2 > ed 2 L. 

Thus 

(a + b + c) > eh. 

By Lemma 7.5, only A operations that are immediately followed by / operations may not cause 
Eve to answer a challenge. We now bound the number of such A operations. 

Let d stand for the number of A operations that are immediately followed by I operations. 
Thus d < c and d < b. Note that the length of the codeword is fixed, thus we must have a = b and 
therefore d < a. Thus we have 

d < (a + b + c)/3. 
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Therefore the number of challenges that Eve successfully answers is at least 

a+b+c-d> 2(a + 6 + c)/3> 2eL/3. 



Now let q > 2eL/3 be the number of challenges that Eve successfully answers. Then the 
probability that this happens is (let £0 be the event that is always true) 

Pr[^]=Dj =1 Pr[fl i |^_i]. 

Now if for some 1 < j < q — 1 we have Pr[£j] < 2~ s , then we are already done because Pr[_E g ] < 
Pr[£/j] < 2~ s . Otherwise by Lemma 7.6 we must have that for any 1 < j < q, Pr[iTj|-Ej_i] < 2~ £ . 
Thus we have 

Pi[E q ] = n^ =1 Pr[^|^_i] < {2~ e ) q < (2^) 2ei / 3 = 2~ n{dl ^ = 2~ n( - s \ 

■ 

We now have the following theorem. 

Theorem 7.8. There exists a constant C > 1 such that for any k, n € N with k > log 4 n and any e > 
with k > C(log(l/e)) there exists an explicit 0((log n + log(l/e))/\/fc) round privacy amplification 
protocol for (n,k) sources with security parameter log(l/e), entropy loss 0(logn + log(l/e)) and 
communication complexity 0((logn + log(l/e))\/fc). 

Proof. Without loss of generality we assume that e < 2 _f ^), otherwise we can use the 2-round 
protocol in Theorem 6.7. Now we show that the protocol in Figure 3 is such a protocol. 

First, if Eve is passive then with probability 1 Alice and Bob agrees on the random string 
W = W. Note that the random variables that contain information about X which are used 
to authenticate Y are {Vi, V(, Tj, T/}, and the total size of these random variables is at most 
L(8£) = d\/{pd2) ■ (8£) < d\j p. Note that the random variable used to authenticate W' is R = R', 
which has size at most idi / p. Thus the total size of the random variables in the transcript that 
contain information about X is at most 5d±/p = O(s). Thus we have that conditioned on the fixing 
of (y, {Mi, Vi, V(, Ti,T[, Yi2,Yi3, Wi}, R), the average conditional min-entropy of X is k — O(s), and 
W is independent of X. Thus by Theorem 3.16 we have that Ra = Rb is 2 _s -close to being uniform 
conditioned on all the transcript, and the entropy loss is 0(s). 

Next, if Eve is active and want to make Ra 7^ Rb, then she has to change W into a different 
W. Now we have two cases. If Eve does not change Y, then we have Y = Y' and thus by by 
Theorem 3.16 R = R' and is 2 _s -close to being private and uniform even conditioned on Y. Note 
that conditioned on the fixing of Y, R = Rl is a deterministic function of X with size \d\j p. Since 
the total size of the random variables in the transcript up till now that contain information about 
X is at most d\j p, by Lemma 3.9 the average conditional min-entropy of R is at least 3di/p. Thus, 
by Theorem 3.12 the probability that Eve can change W' into a different W without causing Alice 
to reject is at most p/2 ■ 2~ dl / p < 2~ s . In the other case, by theorem 7.4 the probability that Eve 
can successfully change Y into Y' ^Y without causing either party to reject is at most 2 -fi ( s ) . 

Finally, if Bob does not reject then he computes his own Rb = Exti(X, W') where W is a 
random string sampled from his own random bits. Thus in this case we must have Rb is 2~ s -close 
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to being private and uniform. Thus we must have A((Rb, E'), (purify(i?s), E')) < 2~ s . Now if Eve 
is passive then clearly Ra is also 2~ s -close to being private and uniform. If Eve is active and does 
not change Y, then by the above analysis if W 7^ W then Alice rejects with probability 1 — 2~ s . 
Now consider the probability that Alice rejects when Eve is active and changes Y. Let A stand for 
the event that Alice rejects in this case, and B stand for the event that Bob rejects in this case. 
By theorem 7.4 we have 

Pr[5] + PrL4|B] Pi[B] > 1 - 2 -n W . 

Now if Bob rejects, then Bob will not send (W',T') to Alice. Thus in this case for Alice not to 
reject, Eve has to come up with a string W and the correct tag T = MACr(W) for Alice. Note 
that in this case conditioned on the transcript, the average conditional min-entropy of R is still at 
least 3di/p. Thus by theorem 3.12 the probability that Eve can do this without causing Alice to 
reject is at most 2~ s . Thus we have 

Pr[A\B] > 1 - 2~ s . 

Therefore 

Pr[A] = Pt[A\B] Pt[B] + Pr[A\B] Pr[B] > (1 - 2~ s ) Pr[B] + Pv[A\B] Pr[B] 

> (1 - 2~ s ){Pt[B) + Pr[A\B] Pi[B)) > (1 - 2~ s )(l - 2" n W) 

> 1 - 2" n ( s ). 

Thus, in the case where Eve is active, Alice rejects with probability 1 — 2~^( s ). Therefore we 
must have A((Ra, E'), (purify(i?A), E')) < 2~ n ( s \ Now by choosing an appropriate s = 0(log(l/e)) 
we have that 2~ n ( s ' ) < e and the entropy loss is (9(logn + log(l/e)). The number of rounds is 
2(L + 1) = 0{d\jd2) = 0(s/£) = 0((logn + log(l/e))/v / fc) and the communication complexity is 
O(Ldl) = 0{d l d 2 ) = 0((logn + log(l/e)) v / fc). ■ 

8 Non-Malleable Condenser for Linear Min-Entropy 

In this section we give a different non-malleable condenser for (n, k) sources with k = 5n for any 
constant < 5 < 1. This construction has the advantage that the security parameter can achieve 
up to fl(k) instead of £l(y/k~). The basic ingredient is a modified alternating extraction protocol 
borrowed from [Lil2b]. 

Alternating Extraction. [Lil2b] Assume that we have two parties, Quentin and Wendy. 
Quentin has a source Q and a source So with entropy rate > 1/2. Wendy has a source X and 
a source X = (X\ o ••• o X t ). Suppose that (Q,Sq) is kept secret from Wendy and (X,X) is 
kept secret from Quentin. Let s,d be two parameters for the protocol. Let Ext g , Ext^, Ext„ be 
seeded extractors as in Theorem 3.16. Let Raz be the two-source extractor in Theorem 3.17. The 
alternating extraction protocol is an interactive process between Quentin and Wendy that runs in 
t + 1 steps. 

In the O'th step, Quentin sends Sq to Wendy, Wendy computes i?o = Raz(So, X) and replies Rq 
to Quentin, Quentin then computes Si = Ext q (Q, Rq). In this step Ro, S± each outputs d bits. In the 
first step, Quentin sends Si to Wendy, Wendy computes Vi = Ext v (Xi, Si) and Ri = Ext w (X, Si). 
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Figure 4: Alternating Extraction. 



She sends R\ to Quentin and Quentin computes S2 = Extq(Q, R\). In this step V\ outputs 2 <_1 s 
bits, and R\, S2 each outputs d bits. In each subsequent step i, Quentin sends Si to Wendy, Wendy 
computes V, = Ext^(Xj, Si) and Ri = Ext^(X, Si). She replies Ri to Quentin and Quentin computes 
Si + \ = Ext q (Q, Ri)- In step i, Vi outputs 2 t ~ t s bits, and Ri,Si + \ each outputs d bits. Thus, the 
process produces the following sequence: 

S ,R = Raz(S ,X),5i = Ext q (Q,R ), 

V x = Ext„(X 1; St), Ri = Ext w (X, Si),---, 

S t = Extq(Q,Rt-i),V t = Ext v (X t ,St),R t = Ext w (X,S t ). 

Look- Ahead Extractor. Let Y = (Q, So) be a seed, the look-ahead extractor is defined as 

laExt((A,X),y) = f V u --- ,V t . 
The following lemma is proved in [Lil2b]. 

Lemma 8.1. [Lil2b] In the alternating extraction protocol, assume that X has n bits and Q, Xi each 
has at most n bits. Let d = 0(log n + s) > s be the number of random bits needed in Theorem 3.16 
to achieve error 2~ s . Let X' = (X[ o ■■■ o X[) be another distribution on the same support of 
X and (Q',S' ) be another distribution on the same support of (Q,So) such that (Q, Sq,Q' , S' ) is 
independent of (X, X , X'). Assume that X has min-entropy at least 2 t (As) + 2td, Q has min-entropy 
at least Atd + 60d + 6s and Sq is a (30c? + 3s, 29d + 2s) source. 

Now run the alternating extraction protocol with (X,X') and (Q',S' ) where in each step we 
obtain S^R^V-. For any i, < i < t, let Viewi = (So,-- - ,Si,Ro,--- ,Ri,V\,--- ,V) and let 
View\ = (S' , • • • , S'i, R' , ■ ■ ■ , R[, V[, ■ ■ ■ , V(). Then if for some j < t, Xj has min-entropy at least 
2* (3s) + 2td, we have 

(Vj, Sj, Sj, Viewj-i, View' j _ 1 ,Q, Q') ~o(t2" s ) (U 2 t- 3s , Sj, Sj, View j - 1 ,View' j ^ 1 , Q, Q'). 
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We now describe our non-malleable condenser. 



Algorithm 8.2 (nmCond(x, y)). 

Input: ^-an integer parameter, x — a sample from an (n, fc)-source with k > Sn. y-an 
independent random seed with y = (2/1,2/2)- 
Output: z — an m bit string. 

Sub-Routines and Parameters: 

Let d = 0(log n+£) be the length of a seed that can achieve error 2~ 5i for both the non-malleable 
extractor in Theorem 3.18 and the strong extractor in Theorem 3.16. 
Let Cond : {0, l} n -> ({0, l} n ') c be a rate-(<5 ->■ 0.9, 2~ 2i ) 

-somewhere-condenser as in Theorem 3.15, where C = poly(l/<5), n' = poly(<5)n. 

Let nmExt : {0, l} n ' x {0, l} d -»• {0, l} m ' be a (0.8n', 2~ 2i ) 

-non-malleable extractor as in Theorem 3.18 with output length m' = 6 • 2 C £. 

Let y\ be a random string with d bits, 7/2 be a random string with cf = ACd + 61d + 14£ bits. 

Let nmExt 2 : {0,1} 2C ( 1M ) x {0, l} d ' -> {0,1} 2C ( 4 ^ be a (2 C (10^), 2- 4£ )-non-malleable extractor 

as in Theorem 3.18. 

Let la Ext be the look-ahead extractor defined above, with parameters (2£,d) and using q = yi 
and so is the first 30d + 6£ bits of yi. 

1. Compute (xi, . . . xq) = Cond(x). 

2. Compute w = Ext(x,y\) with output size 2 C (10£). 

3. Compute x = (xi, ■ ■ ■ ,xq) where Xj = nmExt(xj, y±). 

4. Compute « = (v±, . . . , vc) = laExt((x, x), 1/2)- 

5. Output z = (nmExt2(w, 2/2), v) such that nmExt2(u>, 2/2) has size 2*^(4^). 



We have the following theorem. 

Theorem 8.3. For any constant < 5 < 1 and k = 5n there exists a constant C\ = 2 poly ( 1 /' 5 ) such 
that given any < s < k/C\, the above construction is a (k, s,2~ s ) -non-malleable condenser with 
seed length poly(l/5)(log n + s). 

Proof. Let A be any (deterministic) function such that \/y G Supp(Y), A(y) 7^ y. We will show that 
for most y, with high probability over the fixing of nmCond(X, A(y)), nmCond(X, y) is still close 
to having min-entropy at least £. Let Y' = A(Y). Thus Y' ^ Y. In the following analysis we will 
use letters with prime to denote the corresponding random variables produced with Y' instead of 
Y. Let H = nmExt2(V^, Y 2 ). Thus Z = (H, V). We have the following two cases. 

Case 1: Y\ = Y[. In this case, since Y 1 7^ Y, we must have that Y2 7^ Y£. Now by Theorem 3.16 
we have that 

(W,ri)ra 2 -« {U,Y{). 
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Therefore, we can now fix Y x (and thus Y{), and with probability 1 — over this fixing, W 
is 2~ 4 ^-close to uniform. Moreover, after this fixing W is a deterministic function of X and thus is 
independent of Y2. Note also that after this fixing, Y 2 ' is a deterministic function of Y 2 . Thus by 
Theorem 3.18 we have that 

(H, H ,Y 2 ,Y 2 ) ~o(2-«) {^2°{U)i H ,Y 2 ,Y 2 ). 

Therefore, we can now further fix Y2 (and thus Y 2 ) and with probability at least 1 — 0(2~^) over 
this fixing, (H,H') is 2~ 3 ^-close to (U 2 cu£\,H'). Thus we can further fix fl 7 , and with probability 
at least 1 — 2~ e over this fixing, H is 2 _2 ^-close to uniform. Now note that H has size 2 C (4£) and V 
has size at most 2 C '(2£). Thus by Lemma 3.21, we can further fix V' , and with probability at least 
1 — 2 • 2 over this fixing, V\ is 2^-close to having min-entropy at least 2 C (4£) — 2 C {2£) — £ > 3£. 

Thus in this case we have shown that, with probability 1 — 0(2~ e ) over the fixing of Y, with 
probability 1 — 0(2~ e -) over the fixing of Z 1 ' , Z is 2~^-close to having min-entropy at least 31 > 21. 

Case 2: Y\ 7^ Y[. In this case, first note that by Theorem 3.15, Cond(X) = [X\, . . . Xc) is 2~ l - 
close to a somewhere rate-0.9-source with C rows, and each row has length Q(n). In the following 
we will simply treat it as a somewhere rate-0.9-source, since this only adds 2~ e to the error. We 
assume that X g , 1 < g < C is a rate 0.9-source 2 . 

Now since the adversary changes Y\ to Y[ ^Y±, by Theorem 3.18 we have that 

(Xg,X' g ,Yi) k, 2 - 21 (U m /,X' g ,Yi). 

As the first step for the following analysis, we now fix Y\, Y{ and W' = Ext(X, Y[), X' g . Note that 
Y{ is a deterministic function of (Yi,Yz), and after fixing Y(, (W',X' g ) is a deterministic function 
of X. Thus by Lemma 3.9 we have the following claim. 

Claim 8.4. After the fixings of (Y\, Y(, W', X'), X a is a deterministic function of X and is 2~ e 
close to a source with average conditional min-entropy m! — 2 C (4£). 

Note that by Lemma 3.9, after this fixing, the average conditional min-entropy of X is at least 
k — m! — 2 C (4£) and m! = poly(5)n. Thus for a sufficiently small £ = Q(k) we can ensure that 
k-m'- 2 C {4£) > 2 C (8£) + 2Cd and m' - 2 C {4£) > 2 C {6£) + 2Cd. Since Y x is independent of Y 2 and 
Y( is a deterministic function of (Y±, Y 2 ), by Lemma 3.19 we have that with probability 1 — 2 • 2~ 2e 
over this fixing, Q = Y% is a source with min-entropy at least ACd + 60d + 12£ and So is a source 
with min-entropy 29d + 41. Now by Lemma 8.1 (and note that s = 21) we have that 

(V g , S g , S' g , View g - 1 ,View' g _ 1 ,Y 2 , Y 2 ) ~ {C2~™) (U 2 c- g (2£), 3 g , S' g , View g -i,View' g _ 1 ,Y 2 , Y 2 ). 
Adding back all the error, and noticing that we have fixed (Y\, Y[, W, X' g ) before, we have 

(V g , Sg, S'g, VieWg.uView'g^W , X' g , Y U Y{, Y 2 ,Y±) 
~0(C2-^)( U 2C~ 9 ( 2 e),S g , S'g,View g ^Vie-w' g _ x , W' , X' g , Y X ,Y{, Y 2 , K0. 

Note that V g = Ext v (X' g , S' g ) and H' = nmExt 2 (W, Y£). Thus we have that 

2 In general a somewhere rate-0.9-source is a convex combination of elementary somewhere rate-0.9-sources, but 
without loss of generality we can assume it is an elementary somewhere rate-0.9-source. 
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(V g ,View' g ^,H',V^Y) n 0( c2-*) {U 2 c^ {2l) ,View' g ^,H',V^Y). 
This implies that 

(V g ,H',V{,--- ,V^Y) « 0(C2 - M) (U 2 c- 3(2e) ,H',V{,--- ,V^Y). 
Thus we have that with probability 1 — 0(C2 - ^/ 2 ) over the fixing of Y, 

(Vg, H', V[, • • • , Vg) & 2 -3i/2 (U 2 C-g(2£),H', V[, ■■■ , Vg). 

Thus, with probability 1 — 2~^/ 2 over the further fixing of (H' , V{, ■ ■ ■ , Vg), we have V g ~ 2 -i 
U 2 c- g{2l) . Now note the size of (V£ +1 , ■ ■ ■ , V^) is at most YhL 9 +i 2 C '~ i (2f) = 2 c s(2£) - 21, and 
that V g has size 2 C ~ 9 (2£). Thus by Lemma 3.21, with probability 1 — 2 • 2~ i l 2 over the further 
fixing of (Vg +1 , ■ ■ ■ , Vq), we have that V g is 2~^/ 2 -close to a source with min-entropy 2£ — £/2 > £. 
Since V = (V{, • • • , V' g , V' +1 , • • • , Vq) and Z' = (H 1 , V'), altogether in this case we have that with 
probability 1 — 0(C2~^/ 2 ) over the fixing of Y , with probability 1 — 2~^/ 2 over the further fixing of 
Z' , V g is 2 - ^/ 2 -close to a source with min-entropy > £. Thus Z is also 2~^/ 2 -close to a source with 
min-entropy > £. 

Combining Case 1 and Case 2, and notice that the fraction of "bad seeds" that an adversary 
can achieve is at most the sum of the fraction of bad seeds in both cases. Thus we have that with 
probability 1 — 0(C2~^/ 2 ) over the fixing of Y , with probability 1 — 2~^/ 2 over the further fixing 
of Z' , Z is 2 - ^/ 2 -close to a source with min-entropy > £. by choosing an appropriate £ = O(s) 
we have that the construction is a (k, s, 2 _s )-non-malleable condenser with seed length O(Cd) = 
poly(l/<5)(log n + s). ■ 

Combining this theorem with Theorem 6.5, we get the following theorem. 

Theorem 8.5. There exists an absolute constant Cq > 1 such that for any constant < 5 < 1 
and k = 5n there exists a constant C\ = 2 poly ( 1 / 5 ) such that given any e > with C\ log(l/e) < k, 
there exists an explicit 2-round privacy amplification protocol for (n, k) sources with security param- 
eter log(l/e), entropy loss Co(log n + log(l/e)) and communication complexity poly (1/5) (log n + 
log(l/e)). 

9 Conclusions and Open Problems 

In this paper we construct explicit non-malleable condensers for arbitrary min-entropy, and use 
them to give an explicit 2-round privacy amplification protocol with optimal entropy loss for arbi- 
trary min-entropy k, with security parameter up to s = Q(y/k). This is the first explicit protocol 
that simultaneously achieves optimal parameters in both round complexity and entropy loss, for 
arbitrary min-entropy. 

We then generalize this result to give a privacy amplification protocol that runs in 0(s/^/k) 
rounds and achieves optimal entropy loss for arbitrary min-entropy k, with security parameter up 
to s = £l(k). This significantly improves the protocol in [CKOR10]. In the special case where 
k = 5n for some constant 5 > 0, we give better non-malleable condensers and a 2-round privacy 
amplification protocol with optimal entropy loss for security parameter up to s = f2(/c), which 
improves the entropy loss and communication complexity of the 2-round protocol in [Lil2b]. 
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Some open problems include constructing better non-malleable extractors or non-malleable 
condensers, and to construct optimal privacy amplification protocols for security parameter bigger 
than yk. Another interesting problem is to find other applications of non-malleable extractors or 
non-malleable condensers. 
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